Merge branch 'private-profile-api' into 'master'

Do not show activity for users with private profiles Closes #140 See merge request gitlab-org/security/gitlab!539

Merge branch 'private-profile-api' into 'master'
Do not show activity for users with private profiles Closes #140 See merge request gitlab-org/security/gitlab!539
65c1f1a4 · GitLab Release Tools Bot · d8f620be · 691c988c · 65c1f1a4 · 65c1f1a4
Commit 65c1f1a4 authored Jun 29, 2020 by GitLab Release Tools Bot
4 changed files
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -33,6 +33,8 @@ class EventsFinder
  end
  def execute
+    return Event.none if cannot_access_private_profile?
    events = get_events
    events = by_current_user_access(events)
@@ -103,6 +105,10 @@ class EventsFinder
  end
  # rubocop: enable CodeReuse/ActiveRecord
+  def cannot_access_private_profile?
+    source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source)
+  end
  def sort(events)
    return events unless params[:sort]

--- a/changelogs/unreleased/private-profile-api.yml
+++ b/changelogs/unreleased/private-profile-api.yml
+---
+title: Do not show activity for users with private profiles
+merge_request:
+author:
+type: security
--- a/spec/finders/events_finder_spec.rb
+++ b/spec/finders/events_finder_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 RSpec.describe EventsFinder do
  let_it_be(:user) { create(:user) }
+  let(:private_user) { create(:user, private_profile: true) }
  let(:other_user) { create(:user) }
  let(:project1) { create(:project, :private, creator_id: user.id, namespace: user.namespace) }
@@ -57,6 +58,12 @@ RSpec.describe EventsFinder do
      expect(events).to be_empty
    end
+    it 'returns nothing when the target profile is private' do
+      events = described_class.new(source: private_user, current_user: other_user).execute
+      expect(events).to be_empty
+    end
  end
  describe 'wiki events feature flag' do

--- a/spec/requests/api/events_spec.rb
+++ b/spec/requests/api/events_spec.rb
@@ -192,6 +192,19 @@ RSpec.describe API::Events do
        end
      end
+      context 'when target users profile is private' do
+        it 'returns no events' do
+          user.update!(private_profile: true)
+          private_project.add_developer(non_member)
+          get api("/users/#{user.username}/events", non_member)
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to include_pagination_headers
+          expect(json_response).to eq([])
+        end
+      end
      context 'when scope is passed' do
        context 'when unauthenticated' do
          it 'returns no user events' do