From 1e65114d6894d7ce1ae6b7931d32e142971235c4 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Mon, 6 Sep 2021 18:40:14 +0000
Subject: Return 404 when filtering by a non-visible user in activity view
 (#35789).

Patch by Mischa The Evil.

git-svn-id: http://svn.redmine.org/redmine/trunk@21209 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/functional/activities_controller_test.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'test')

diff --git a/test/functional/activities_controller_test.rb b/test/functional/activities_controller_test.rb
index 6a722d8a1..a759dab31 100644
--- a/test/functional/activities_controller_test.rb
+++ b/test/functional/activities_controller_test.rb
@@ -107,6 +107,18 @@ class ActivitiesControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_user_index_with_non_visible_user_id_should_respond_404
+    Role.anonymous.update! :users_visibility => 'members_of_visible_projects'
+    user = User.generate!
+
+    @request.session[:user_id] = nil
+    get :index, :params => {
+      :user_id => user.id
+    }
+
+    assert_response 404
+  end
+
   def test_index_atom_feed
     get(
       :index,
-- 
cgit v1.2.3