From ce287ab3fe60e9f3859497a79077b5a951b25319 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 4 Dec 2025 16:53:09 +0000
Subject: [PATCH] Render a not_found error for unavailable heatmaps

---
 app/controllers/users/heatmaps_controller.rb  |  2 +
 .../users/heatmaps_controller_test.rb         | 70 +++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/app/controllers/users/heatmaps_controller.rb b/app/controllers/users/heatmaps_controller.rb
index e7840a465..5ccc352da 100644
--- a/app/controllers/users/heatmaps_controller.rb
+++ b/app/controllers/users/heatmaps_controller.rb
@@ -40,6 +40,8 @@ module Users
             :to => to
           }
         end
+      else
+        head :not_found
       end
     end
   end
diff --git a/test/controllers/users/heatmaps_controller_test.rb b/test/controllers/users/heatmaps_controller_test.rb
index 9668ab54f..ad0f8c371 100644
--- a/test/controllers/users/heatmaps_controller_test.rb
+++ b/test/controllers/users/heatmaps_controller_test.rb
@@ -87,6 +87,76 @@ module Users
       assert_select ".heatmap", :count => 0
     end
 
+    def test_show_data_suspended_user
+      user = create(:user, :suspended)
+      # Create two changesets
+      create(:changeset, :user => user, :created_at => 6.months.ago, :num_changes => 10)
+      create(:changeset, :user => user, :created_at => 3.months.ago, :num_changes => 20)
+
+      get user_heatmap_path(user)
+
+      # Should fail for suspended users
+      assert_response :not_found
+
+      session_for(create(:administrator_user))
+
+      get user_heatmap_path(user)
+
+      # Should work when requested by an administrator
+      assert_response :success
+      # The data should not be empty
+      heatmap_data = assigns(:heatmap_data)
+      assert_not_nil heatmap_data
+      assert_predicate heatmap_data[:data], :any?
+      # The data should be in the right format
+      heatmap_data[:data].each_value do |entry|
+        assert_equal [:date, :max_id, :total_changes], entry.keys.sort, "Heatmap data entries should have expected keys"
+      end
+      assert_equal 30, heatmap_data[:count]
+    end
+
+    def test_show_data_deleted_user
+      user = create(:user, :deleted)
+      # Create two changesets
+      create(:changeset, :user => user, :created_at => 6.months.ago, :num_changes => 10)
+      create(:changeset, :user => user, :created_at => 3.months.ago, :num_changes => 20)
+
+      get user_heatmap_path(user)
+
+      # Should fail for deleted users
+      assert_response :not_found
+
+      session_for(create(:administrator_user))
+
+      get user_heatmap_path(user)
+
+      # Should work when requested by an administrator
+      assert_response :success
+      # The data should not be empty
+      heatmap_data = assigns(:heatmap_data)
+      assert_not_nil heatmap_data
+      assert_predicate heatmap_data[:data], :any?
+      # The data should be in the right format
+      heatmap_data[:data].each_value do |entry|
+        assert_equal [:date, :max_id, :total_changes], entry.keys.sort, "Heatmap data entries should have expected keys"
+      end
+      assert_equal 30, heatmap_data[:count]
+    end
+
+    def test_show_data_unknown_user
+      get user_heatmap_path(:user_display_name => "unknown_user")
+
+      # Should fail for unknown users
+      assert_response :not_found
+
+      session_for(create(:administrator_user))
+
+      get user_heatmap_path(:user_display_name => "unknown_user")
+
+      # Should still fail when requested by an administrator
+      assert_response :not_found
+    end
+
     def test_show_rendering_of_user_with_no_changesets
       user_without_changesets = create(:user)
 
-- 
2.39.5