FIX: Ensure username param is valid in NotificationsController.

app/controllers/notifications_controller.rb

@@ -5,8 +5,14 @@ class NotificationsController < ApplicationController
   before_filter :ensure_logged_in
 
   def index
-    user = current_user
+    user =
-    user = User.find_by_username(params[:username].to_s) if params[:username]
+      if params[:username] && !params[:recent]
+        user_record = User.find_by(username: params[:username].to_s)
+        raise Discourse::InvalidParameters.new(:username) if !user_record
+        user_record
+      else
+        current_user
+      end
 
     guardian.ensure_can_see_notifications!(user)
 

spec/controllers/notifications_controller_spec.rb

@@ -5,6 +5,7 @@ describe NotificationsController do
   context 'when logged in' do
     let!(:user) { log_in }
 
+    describe '#index' do
       it 'should succeed for recent' do
         xhr :get, :index, recent: true
         expect(response).to be_success
@@ -15,11 +16,6 @@ describe NotificationsController do
         expect(response).to be_success
       end
 
-    it 'should succeed' do
-      xhr :put, :mark_read
-      expect(response).to be_success
-    end
-
       it 'should mark notifications as viewed' do
         notification = Fabricate(:notification, user: user)
         expect(user.reload.unread_notifications).to eq(1)
@@ -38,6 +34,19 @@ describe NotificationsController do
         expect(user.reload.total_unread_notifications).to eq(1)
       end
 
+      context 'when username params is not valid' do
+        it 'should raise the right error' do
+          expect { xhr :get, :index, username: 'somedude' }
+            .to raise_error(Discourse::InvalidParameters)
+        end
+      end
+    end
+
+    it 'should succeed' do
+      xhr :put, :mark_read
+      expect(response).to be_success
+    end
+
     it "can update a single notification" do
       notification = Fabricate(:notification, user: user)
       notification2 = Fabricate(:notification, user: user)