From 7944884d30fb32dbb611060693553be831cb0735 Mon Sep 17 00:00:00 2001 From: Mischa The Evil Date: Thu, 19 Aug 2021 00:40:55 +0200 Subject: [PATCH 2/2] Don't throw a 404 error on activities index with a not visible user_id param. After applying this change, Redmine will respond with a sanitized activities index view when it is requested with a user_id param that is not visible, instead of immediately returning a 404 error. --- app/controllers/activities_controller.rb | 8 +++++++- test/functional/activities_controller_test.rb | 7 +++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb index 824aaa2ef..156014371 100644 --- a/app/controllers/activities_controller.rb +++ b/app/controllers/activities_controller.rb @@ -33,7 +33,13 @@ class ActivitiesController < ApplicationController @date_from = @date_to - @days @with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1') if params[:user_id].present? - @author = User.visible.active.find(params[:user_id]) + begin + visible_and_active_user = User.visible.active.find(params[:user_id]) + rescue ActiveRecord::RecordNotFound + @author = nil + else + @author = visible_and_active_user + end end @activity = Redmine::Activity::Fetcher.new(User.current, :project => @project, diff --git a/test/functional/activities_controller_test.rb b/test/functional/activities_controller_test.rb index 92c915db6..faf313745 100644 --- a/test/functional/activities_controller_test.rb +++ b/test/functional/activities_controller_test.rb @@ -107,7 +107,7 @@ class ActivitiesControllerTest < Redmine::ControllerTest assert_response 404 end - def test_user_index_with_non_visible_user_id_should_respond_404 + def test_user_index_with_non_visible_user_id_should_respond_without_processing_user_id_param Role.anonymous.update! :users_visibility => 'members_of_visible_projects' user = User.generate! @@ -115,7 +115,10 @@ class ActivitiesControllerTest < Redmine::ControllerTest get :index, :params => { :user_id => user.id } - assert_response 404 + assert_response :success + + assert_select 'h2', :text => "Activity", :count => 1 + assert_select "h2 a:match('href', ?)", /\/users\//, {:text => "Bob Doe", :count => 0}, "Not visible user link element and/or link text present" end def test_index_atom_feed -- 2.26.0.windows.1