github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Hide user profiles from public

Browse Source 
User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
This commit is contained in:
Bianca Nenciu
2023-09-27 20:10:26 +03:00
committed by Penar Musaraj
parent 6350ba2cb3
commit 76bdea5ce2
3 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/users_controller.rb
View File

@ -114,9 +114,7 @@ class UsersController < ApplicationController
end
def show(for_card: false)
if SiteSetting.hide_user_profiles_from_public && !current_user
raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
end
guardian.ensure_public_can_see_profiles!
@user =
fetch_user_from_params(
@ -165,9 +163,7 @@ class UsersController < ApplicationController
# This route is not used in core, but is used by theme components (e.g. https://meta.discourse.org/t/144479)
def cards
if SiteSetting.hide_user_profiles_from_public && !current_user
raise Discourse::NotFound.new(custom_message: "invalid_access", status: 403)
end
guardian.ensure_public_can_see_profiles!
user_ids = params.require(:user_ids).split(",").map(&:to_i)
raise Discourse::InvalidParameters.new(:user_ids) if user_ids.length > 50
@ -496,6 +492,8 @@ class UsersController < ApplicationController
end
def summary
guardian.ensure_public_can_see_profiles!
@user =
fetch_user_from_params(
include_inactive: