Change public profile pages to be disabled for unconfirmed users (#17385)

Fixes #17382

Note that unconfirmed and unapproved accounts can still be searched for
and their (empty) account retrieved using the REST API.

app/controllers/concerns/account_owned_concern.rb

@@ -8,6 +8,7 @@ module AccountOwnedConcern
     before_action :set_account, if: :account_required?
     before_action :check_account_approval, if: :account_required?
     before_action :check_account_suspension, if: :account_required?
+    before_action :check_account_confirmation, if: :account_required?
   end
 
   private
@@ -28,6 +29,10 @@ module AccountOwnedConcern
     not_found if @account.local? && @account.user_pending?
   end
 
+  def check_account_confirmation
+    not_found if @account.local? && !@account.user_confirmed?
+  end
+
   def check_account_suspension
     if @account.suspended_permanently?
       permanent_suspension_response

spec/controllers/concerns/account_controller_concern_spec.rb

@@ -11,10 +11,33 @@ describe ApplicationController, type: :controller do
     end
   end
 
+  around do |example|
+    registrations_mode = Setting.registrations_mode
+    example.run
+    Setting.registrations_mode = registrations_mode
+  end
+
   before do
     routes.draw { get 'success' => 'anonymous#success' }
   end
 
+  context 'when account is unconfirmed' do
+    it 'returns http not found' do
+      account = Fabricate(:user, confirmed_at: nil).account
+      get 'success', params: { account_username: account.username }
+      expect(response).to have_http_status(404)
+    end
+  end
+
+  context 'when account is not approved' do
+    it 'returns http not found' do
+      Setting.registrations_mode = 'approved'
+      account = Fabricate(:user, approved: false).account
+      get 'success', params: { account_username: account.username }
+      expect(response).to have_http_status(404)
+    end
+  end
+
   context 'when account is suspended' do
     it 'returns http gone' do
       account = Fabricate(:account, suspended: true)