fix: return an empty profile page when not found

[miketheman]

Description

Return an identical empty page to prevent user enumeration.

[JacobCoffee]

Would returning an anonymous user make it known that a user doesn't exist and the malicious actor could continue enumerating over usernames?

[miketheman]

Initially, yes - since the HTML contents used to include the user's name in the <title> tag - that's been removed in the template.

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

[pradyunsg]

I examined the HTML output of an existing vs anonymous user to confirm that the only difference is in the actual URL requested - nothing else.

non-blocking suggestion: If it's not too expensive in terms of effort, it would be good to add a test that does this.

[ewdurbin]

I’m not positive we even need or use the public profile page. Removing unauthenticated access to this view entirely is likely the correct move.

[ewdurbin]

On a little closer review, I think we should probably do away with the slugged URLs:

pythondotorg/users/urls.py

Lines 41 to 42 in 023121f

	re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/delete/$', views.UserDeleteView.as_view(), name='user_delete'),
	re_path(r'^(?P<slug>[-a-zA-Z0-9_\@\.+]+)/$', views.UserDetail.as_view(), name='user_detail'),

and replace them with /users/profile/detail and /users/profile/delete, then add a test_func matching the UserDeleteView to the UserDetail view that allows people to view their own details only.