Give 404 when user-information form is called with not existing userid.

plone · Sep 7, 2016 · 5dc8328 · 5dc8328
1 parent 5671aec
commit 5dc8328
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,9 @@ New features:
 
 Bug fixes:
 
+- Give a 404 when the user-information form is called with a not
+  existing userid.  [maurits]
+
 - Don't show unescaped user id in user-information form.
   This applies PloneHotfix20160830.  [maurits]
 

diff --git a/plone/app/users/browser/personalpreferences.py b/plone/app/users/browser/personalpreferences.py
@@ -25,6 +25,7 @@
 from Products.CMFPlone.utils import set_own_login_name, safe_unicode
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
 from Products.statusmessages.interfaces import IStatusMessage
+from zExceptions import NotFound
 
 import cgi
 
@@ -322,6 +323,14 @@ def getPortrait(self):
         context = aq_inner(self.context)
         return context.portal_membership.getPersonalPortrait()
 
+    def __call__(self):
+        if self.userid:
+            context = aq_inner(self.context)
+            mt = getToolByName(context, 'portal_membership')
+            if mt.getMemberById(self.userid) is None:
+                raise NotFound('User does not exist.')
+        return super(UserDataPanel, self).__call__()
+
 
 class UserDataConfiglet(UserDataPanel):
     """ """

diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py
@@ -1,5 +1,6 @@
 from plone.app.users.browser.personalpreferences import UserDataPanel
 from plone.app.users.tests.base import TestCase
+from zExceptions import NotFound
 from zope.i18n import translate
 
 
@@ -14,6 +15,8 @@ def test_regression(self):
         form = UserDataPanel(portal, request)
         description = translate(form.description, context=request)
         self.assertTrue('admin' in description)
+        # form can be called without raising exception.
+        self.assertTrue(form())
 
     def test_escape_html(self):
         portal = self.portal
@@ -24,3 +27,4 @@ def test_escape_html(self):
         form = UserDataPanel(portal, request)
         description = translate(form.description, context=request)
         self.assertTrue('<script>' not in description)
+        self.assertRaises(NotFound, form)