Give 404 when user-information form is called with not existing userid.

CHANGES.rst

@@ -14,6 +14,9 @@ New features:
 
 Bug fixes:
 
+- Give a 404 when the user-information form is called with a not
+  existing userid.  [maurits]
+
 - Don't show unescaped user id in user-information form.
   This applies PloneHotfix20160830.  [maurits]
 

plone/app/users/browser/userdatapanel.py

@@ -11,6 +11,7 @@
 from plone.app.users.browser.account import AccountPanelForm
 from plone.app.users.browser.account import AccountPanelSchemaAdapter
 from plone.registry.interfaces import IRegistry
+from zExceptions import NotFound
 
 from ..schema import IUserDataSchema
 from .schemaeditor import getFromBaseSchema
@@ -85,6 +86,11 @@ def description(self):
             )
 
     def __call__(self):
+        userid = self.request.form.get('userid')
+        if userid:
+            mt = getToolByName(self.context, 'portal_membership')
+            if mt.getMemberById(userid) is None:
+                raise NotFound('User does not exist.')
         self.request.set('disable_border', 1)
         return super(UserDataPanel, self).__call__()
 

plone/app/users/tests/test_user_data_panel.py

@@ -1,3 +1,4 @@
+from zExceptions import NotFound
 from plone.app.users.browser.userdatapanel import UserDataPanel
 from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING
 from zope.i18n import translate
@@ -18,6 +19,8 @@ def test_regression(self):
         form = UserDataPanel(portal, request)
         description = translate(form.description, context=request)
         self.assertTrue('admin' in description)
+        # form can be called without raising exception.
+        self.assertTrue(form())
 
     def test_escape_html(self):
         portal = self.layer['portal']
@@ -28,3 +31,4 @@ def test_escape_html(self):
         form = UserDataPanel(portal, request)
         description = translate(form.description, context=request)
         self.assertTrue('<script>' not in description)
+        self.assertRaises(NotFound, form)