Hide user avatar for blocked and unconfirmed users

Avatars can sometimes be used to display spam or other undesirable content for unconfirmed or blocked users. This change hides the user's custom avatar in these cases until they become unblocked or confirmed. Changelog: changed

Hide user avatar for blocked and unconfirmed users
Avatars can sometimes be used to display spam or other undesirable content for unconfirmed or blocked users. This change hides the user's custom avatar in these cases until they become unblocked or confirmed. Changelog: changed
f2a83cd8 · Drew Blessing · c60c6ed3 · f2a83cd8 · f2a83cd8 · f2a83cd8
Commit f2a83cd8 authored Dec 03, 2021 by Drew Blessing
Showing with 66 additions and 8 deletions

app/helpers/avatars_helper.rb app/helpers/avatars_helper.rb +18 -6

spec/features/users/show_spec.rb spec/features/users/show_spec.rb +8 -0

spec/helpers/avatars_helper_spec.rb spec/helpers/avatars_helper_spec.rb +40 -2

No files found.
--- a/app/helpers/avatars_helper.rb
+++ b/app/helpers/avatars_helper.rb
 # frozen_string_literal: true
 module AvatarsHelper
+  DEFAULT_AVATAR_PATH = 'no_avatar.png'
  def project_icon(project, options = {})
    source_icon(project, options)
  end
@@ -34,11 +36,11 @@ module AvatarsHelper
  end
  def avatar_icon_for_user(user = nil, size = nil, scale = 2, only_path: true)
-    if user
+    return gravatar_icon(nil, size, scale) unless user
-      user.avatar_url(size: size, only_path: only_path) || default_avatar
+    return default_avatar if blocked_or_unconfirmed?(user) && !can_admin?(current_user)
-    else
-      gravatar_icon(nil, size, scale)
+    user_avatar = user.avatar_url(size: size, only_path: only_path)
-    end
+    user_avatar || default_avatar
  end
  def gravatar_icon(user_email = '', size = nil, scale = 2)
@@ -47,7 +49,7 @@ module AvatarsHelper
  end
  def default_avatar
-    ActionController::Base.helpers.image_path('no_avatar.png')
+    ActionController::Base.helpers.image_path(DEFAULT_AVATAR_PATH)
  end
  def author_avatar(commit_or_event, options = {})
@@ -157,4 +159,14 @@ module AvatarsHelper
      source.name[0, 1].upcase
    end
  end
+  def blocked_or_unconfirmed?(user)
+    user.blocked? || !user.confirmed?
+  end
+  def can_admin?(user)
+    return false unless user
+    user.can_admin_all_resources?
+  end
 end
--- a/spec/features/users/show_spec.rb
+++ b/spec/features/users/show_spec.rb
@@ -243,6 +243,10 @@ RSpec.describe 'User page' do
      expect(page).to have_content("@#{user.username}")
    end
+    it 'shows default avatar' do
+      expect(page).to have_css('//img[data-src^="/assets/no_avatar"]')
+    end
    it_behaves_like 'default brand title page meta description'
  end
@@ -286,6 +290,10 @@ RSpec.describe 'User page' do
        expect(page).to have_content("This user has a private profile")
      end
+      it 'shows default avatar' do
+        expect(page).to have_css('//img[data-src^="/assets/no_avatar"]')
+      end
      it_behaves_like 'default brand title page meta description'
    end

--- a/spec/helpers/avatars_helper_spec.rb
+++ b/spec/helpers/avatars_helper_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
 RSpec.describe AvatarsHelper do
  include UploadHelpers
+  include Devise::Test::ControllerHelpers
  let_it_be(:user) { create(:user) }
@@ -145,12 +146,49 @@ RSpec.describe AvatarsHelper do
  describe '#avatar_icon_for_user' do
    let(:user) { create(:user, avatar: File.open(uploaded_image_temp_path)) }
+    let(:helper_args) { [user] }
+    shared_examples 'blocked or unconfirmed user with avatar' do
+      it 'returns the default avatar' do
+        expect(helper.avatar_icon_for_user(user).to_s)
+          .to match_asset_path(described_class::DEFAULT_AVATAR_PATH)
+      end
+      context 'when the current user is an admin', :enable_admin_mode do
+        let(:current_user) { create(:user, :admin) }
+        before do
+          allow(helper).to receive(:current_user).and_return(current_user)
+        end
+        it 'returns the user avatar' do
+          expect(helper.avatar_icon_for_user(user).to_s)
+            .to eq(user.avatar.url)
+        end
+      end
+    end
    context 'with a user object passed' do
      it 'returns a relative URL for the avatar' do
        expect(helper.avatar_icon_for_user(user).to_s)
          .to eq(user.avatar.url)
      end
+      context 'when the user is blocked' do
+        before do
+          user.block!
+        end
+        it_behaves_like 'blocked or unconfirmed user with avatar'
+      end
+      context 'when the user is unconfirmed' do
+        before do
+          user.update!(confirmed_at: nil)
+        end
+        it_behaves_like 'blocked or unconfirmed user with avatar'
+      end
    end
    context 'without a user object passed' do
@@ -171,7 +209,7 @@ RSpec.describe AvatarsHelper do
      end
      it 'returns a generic avatar' do
-        expect(helper.gravatar_icon(user_email)).to match_asset_path('no_avatar.png')
+        expect(helper.gravatar_icon(user_email)).to match_asset_path(described_class::DEFAULT_AVATAR_PATH)
      end
    end
@@ -181,7 +219,7 @@ RSpec.describe AvatarsHelper do
      end
      it 'returns a generic avatar when email is blank' do
-        expect(helper.gravatar_icon('')).to match_asset_path('no_avatar.png')
+        expect(helper.gravatar_icon('')).to match_asset_path(described_class::DEFAULT_AVATAR_PATH)
      end
      it 'returns a valid Gravatar URL' do