From f5639e1cbe0eb9de88a8f4b1c82833fdcffe62b8 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 28 Jan 2022 14:24:37 +0100 Subject: [PATCH] Change public profile pages to be disabled for unconfirmed users (#17385) Fixes #17382 Note that unconfirmed and unapproved accounts can still be searched for and their (empty) account retrieved using the REST API. --- .../concerns/account_owned_concern.rb | 5 ++++ .../account_controller_concern_spec.rb | 23 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/app/controllers/concerns/account_owned_concern.rb b/app/controllers/concerns/account_owned_concern.rb index 62e379846..25149d03f 100644 --- a/app/controllers/concerns/account_owned_concern.rb +++ b/app/controllers/concerns/account_owned_concern.rb @@ -8,6 +8,7 @@ module AccountOwnedConcern before_action :set_account, if: :account_required? before_action :check_account_approval, if: :account_required? before_action :check_account_suspension, if: :account_required? + before_action :check_account_confirmation, if: :account_required? end private @@ -28,6 +29,10 @@ module AccountOwnedConcern not_found if @account.local? && @account.user_pending? end + def check_account_confirmation + not_found if @account.local? && !@account.user_confirmed? + end + def check_account_suspension if @account.suspended_permanently? permanent_suspension_response diff --git a/spec/controllers/concerns/account_controller_concern_spec.rb b/spec/controllers/concerns/account_controller_concern_spec.rb index 835645414..99975f4c4 100644 --- a/spec/controllers/concerns/account_controller_concern_spec.rb +++ b/spec/controllers/concerns/account_controller_concern_spec.rb @@ -11,10 +11,33 @@ describe ApplicationController, type: :controller do end end + around do |example| + registrations_mode = Setting.registrations_mode + example.run + Setting.registrations_mode = registrations_mode + end + before do routes.draw { get 'success' => 'anonymous#success' } end + context 'when account is unconfirmed' do + it 'returns http not found' do + account = Fabricate(:user, confirmed_at: nil).account + get 'success', params: { account_username: account.username } + expect(response).to have_http_status(404) + end + end + + context 'when account is not approved' do + it 'returns http not found' do + Setting.registrations_mode = 'approved' + account = Fabricate(:user, approved: false).account + get 'success', params: { account_username: account.username } + expect(response).to have_http_status(404) + end + end + context 'when account is suspended' do it 'returns http gone' do account = Fabricate(:account, suspended: true)