Skip to content

Commit

Permalink
Fix user router possbile panic (#29751) (#29786)
Browse files Browse the repository at this point in the history
regression from #28023
backport #29751
  • Loading branch information
lunny authored Mar 14, 2024
1 parent 538efb9 commit 61db562
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
7 changes: 5 additions & 2 deletions routers/web/user/home.go
Original file line number Diff line number Diff line change
Expand Up @@ -824,12 +824,16 @@ func UsernameSubRoute(ctx *context.Context) {
reloadParam := func(suffix string) (success bool) {
ctx.SetParams("username", strings.TrimSuffix(username, suffix))
context_service.UserAssignmentWeb()(ctx)
if ctx.Written() {
return false
}

// check view permissions
if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) {
ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name))
return false
}
return !ctx.Written()
return true
}
switch {
case strings.HasSuffix(username, ".png"):
Expand All @@ -850,7 +854,6 @@ func UsernameSubRoute(ctx *context.Context) {
return
}
if reloadParam(".rss") {
context_service.UserAssignmentWeb()(ctx)
feed.ShowUserFeedRSS(ctx)
}
case strings.HasSuffix(username, ".atom"):
Expand Down
9 changes: 9 additions & 0 deletions tests/integration/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,8 @@ func testExportUserGPGKeys(t *testing.T, user, expected string) {
}

func TestGetUserRss(t *testing.T) {
defer tests.PrepareTestEnv(t)()

user34 := "the_34-user.with.all.allowedChars"
req := NewRequestf(t, "GET", "/%s.rss", user34)
resp := MakeRequest(t, req, http.StatusOK)
Expand All @@ -253,6 +255,13 @@ func TestGetUserRss(t *testing.T) {
description, _ := rssDoc.ChildrenFiltered("description").Html()
assert.EqualValues(t, "<p dir="auto">some <a href="https://commonmark.org/" rel="nofollow">commonmark</a>!</p>\n", description)
}

req = NewRequestf(t, "GET", "/non-existent-user.rss")
MakeRequest(t, req, http.StatusNotFound)

session := loginUser(t, "user2")
req = NewRequestf(t, "GET", "/non-existent-user.rss")
session.MakeRequest(t, req, http.StatusNotFound)
}

func TestListStopWatches(t *testing.T) {
Expand Down

0 comments on commit 61db562

Please sign in to comment.