diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index 1b3bf63e..f2d6a8d6 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -35,6 +35,10 @@ class AccountController < ApplicationController events = Redmine::Activity::Fetcher.new(User.current, :author => @user).events(nil, nil, :limit => 10) @events_by_day = events.group_by(&:event_date) + if @user != User.current && !User.current.admin? && @memberships.empty? && events.empty? + render_404 and return + end + rescue ActiveRecord::RecordNotFound render_404 end diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb index e38ccb54..67c4d8b6 100644 --- a/test/functional/account_controller_test.rb +++ b/test/functional/account_controller_test.rb @@ -56,6 +56,11 @@ class AccountControllerTest < ActionController::TestCase assert_nil assigns(:user) end + def test_show_should_not_reveal_users_with_no_visible_activity_or_project + get :show, :id => 9 + assert_response 404 + end + def test_login_should_redirect_to_back_url_param # request.uri is "test.host" in test environment post :login, :username => 'jsmith', :password => 'jsmith', :back_url => 'http%3A%2F%2Ftest.host%2Fissues%2Fshow%2F1'