diff --git a/routers/web/user/home.go b/routers/web/user/home.go index caa71152593ef..e731a2a9b7672 100644 --- a/routers/web/user/home.go +++ b/routers/web/user/home.go @@ -714,12 +714,16 @@ func UsernameSubRoute(ctx *context.Context) { reloadParam := func(suffix string) (success bool) { ctx.SetParams("username", strings.TrimSuffix(username, suffix)) context.UserAssignmentWeb()(ctx) + if ctx.Written() { + return false + } + // check view permissions if !user_model.IsUserVisibleToViewer(ctx, ctx.ContextUser, ctx.Doer) { ctx.NotFound("user", fmt.Errorf(ctx.ContextUser.Name)) return false } - return !ctx.Written() + return true } switch { case strings.HasSuffix(username, ".png"): @@ -740,7 +744,6 @@ func UsernameSubRoute(ctx *context.Context) { return } if reloadParam(".rss") { - context.UserAssignmentWeb()(ctx) feed.ShowUserFeedRSS(ctx) } case strings.HasSuffix(username, ".atom"): diff --git a/tests/integration/user_test.go b/tests/integration/user_test.go index c30733b1b07c2..c4544f37aa3aa 100644 --- a/tests/integration/user_test.go +++ b/tests/integration/user_test.go @@ -243,6 +243,8 @@ func testExportUserGPGKeys(t *testing.T, user, expected string) { } func TestGetUserRss(t *testing.T) { + defer tests.PrepareTestEnv(t)() + user34 := "the_34-user.with.all.allowedChars" req := NewRequestf(t, "GET", "/%s.rss", user34) resp := MakeRequest(t, req, http.StatusOK) @@ -253,6 +255,13 @@ func TestGetUserRss(t *testing.T) { description, _ := rssDoc.ChildrenFiltered("description").Html() assert.EqualValues(t, "<p dir="auto">some <a href="https://commonmark.org/" rel="nofollow">commonmark</a>!</p>\n", description) } + + req = NewRequestf(t, "GET", "/non-existent-user.rss") + MakeRequest(t, req, http.StatusNotFound) + + session := loginUser(t, "user2") + req = NewRequestf(t, "GET", "/non-existent-user.rss") + session.MakeRequest(t, req, http.StatusNotFound) } func TestListStopWatches(t *testing.T) {