Patch #18128

Make User profile 404 rendering more consistent (and speed up Users#show API)

Added by Jan from Planio www.plan.io about 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

90%

Category:Accounts / authentication
Target version:-

Description

Users#show (viewing the profile of any given user) can display three main sections of information:

  • The name, email, registered on, last connection, and custom fields pertaining to the user (personal information)
  • The user's memberships in projects
  • The user's last activity in any projects

Currently, if the user has (a) at least one membership or (b) at least some activity, the user profile is shown, including the three sections above.

If the user has no membersip and no activity, the page is not shown and a 404 is returned.

I think this is not very consistent. In the latter case, a visitor of the user's profile page could still be interested in seeing the user's personal information, even if she/he has no memberships or activity.

This patch fixes this behaviour and always displays a user profile.

The reason for this patch was that we noticed that the Users#show API call takes considerable time currently. It turns out, this is due to the fact that the user's activity is pulled even in case of an API request (for which the actiity is not needed). So, in order to be able to move fetching of the activity to the format.html block, we made the change above. We think that both changes make sense, somehow.)

0001-Make-User-profile-404-rendering-more-consistent-and-.patch Magnifier (1.51 KB) Jan from Planio www.plan.io, 2014-10-18 15:56


Related issues

Related to Redmine - Feature #18093: Please add the permission "can see project members" to th... Closed
Related to Redmine - Feature #11724: Prevent users from seeing other users based on their proj... Closed
Related to Redmine - Feature #14601: Improve returned HTTP status code for requests for accoun... New

Associated revisions

Revision 13587
Added by Jean-Philippe Lang about 3 years ago

Don't load user activity for API responses (#18128).

History

#1 Updated by Jean-Philippe Lang about 3 years ago

  • Category changed from Code cleanup/refactoring to Accounts / authentication
  • Target version deleted (Candidate for next minor release)

This patch is not refactoring as it affects the visibility of user accounts (and thus breaks a test). It makes all accounts visible to anyone and some people really don't want that. We need to setup some permissions to view user accounts before changing that.

#2 Updated by Jean-Philippe Lang about 3 years ago

  • Related to Feature #18093: Please add the permission "can see project members" to the roles, or better an "hidden member" attribute for roles or memberships added

#3 Updated by Mischa The Evil about 3 years ago

  • Related to Feature #11724: Prevent users from seeing other users based on their project membership added

#4 Updated by Jan from Planio www.plan.io about 3 years ago

Jean-Philippe Lang wrote:

This patch is not refactoring as it affects the visibility of user accounts (and thus breaks a test). It makes all accounts visible to anyone and some people really don't want that. We need to setup some permissions to view user accounts before changing that.

Sorry about that. I did run the test suite, I must have missed that. Maybe it was too late in the evening.

I agree that a dedicated permission would be better. I just thought this change would not hurt since the decision on whether to display a 404 or not is already kind of implicit/technical (only if memberships or events present) rather than an explicit choice to be made by users and/or admins.

Next time, I will take a step back and think twice before marking stuff as candidate for a next release.

#5 Updated by Mischa The Evil about 3 years ago

  • Related to Feature #14601: Improve returned HTTP status code for requests for account/show added

#6 Updated by Jean-Philippe Lang about 3 years ago

  • Status changed from New to Closed

Superseded by r13584. User profile access is now allowed based on Users visibility setting on roles.

#7 Updated by Jan from Planio www.plan.io about 3 years ago

Great solution and thanks as well for #11724!

Also available in: Atom PDF