Defect #35789 » 0001-Fix-username-leakage-on-activities-index-with-user_i.patch
| app/controllers/activities_controller.rb | ||
|---|---|---|
| 33 | 33 |
@date_from = @date_to - @days |
| 34 | 34 |
@with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1') |
| 35 | 35 |
if params[:user_id].present? |
| 36 |
@author = User.active.find(params[:user_id]) |
|
| 36 |
@author = User.visible.active.find(params[:user_id])
|
|
| 37 | 37 |
end |
| 38 | 38 | |
| 39 | 39 |
@activity = Redmine::Activity::Fetcher.new(User.current, :project => @project, |
| test/functional/activities_controller_test.rb | ||
|---|---|---|
| 107 | 107 |
assert_response 404 |
| 108 | 108 |
end |
| 109 | 109 | |
| 110 |
def test_user_index_with_non_visible_user_id_should_respond_404 |
|
| 111 |
Role.anonymous.update! :users_visibility => 'members_of_visible_projects' |
|
| 112 |
user = User.generate! |
|
| 113 | ||
| 114 |
@request.session[:user_id] = nil |
|
| 115 |
get :index, :params => {
|
|
| 116 |
:user_id => user.id |
|
| 117 |
} |
|
| 118 |
assert_response 404 |
|
| 119 |
end |
|
| 120 | ||
| 110 | 121 |
def test_index_atom_feed |
| 111 | 122 |
get( |
| 112 | 123 |
:index, |
