only staff should be able to see bookmarks and favs of other users

ensure that when they click on them they see the correct topics (topics for user they are looking at, not current user)

app/assets/javascripts/discourse/routes/user_routes.js

@@ -190,6 +190,6 @@ Discourse.UserActivityFavoritesRoute = Discourse.UserTopicListRoute.extend({
   userActionType: Discourse.UserAction.TYPES.favorites,
 
   model: function() {
-    return Discourse.TopicList.find('favorited');
+    return Discourse.TopicList.find('favorited?user_id=' + this.modelFor('user').get('id'));
   }
 });

app/controllers/list_controller.rb

@@ -8,7 +8,11 @@ class ListController < ApplicationController
   [:latest, :hot, :favorited, :read, :posted, :unread, :new].each do |filter|
     define_method(filter) do
       list_opts = build_topic_list_options
-      list = TopicQuery.new(current_user, list_opts).public_send("list_#{filter}")
+      user = current_user
+      if params[:user_id] && guardian.is_staff?
+        user = User.find(params[:user_id].to_i)
+      end
+      list = TopicQuery.new(user, list_opts).public_send("list_#{filter}")
       list.more_topics_url = url_for(self.public_send "#{filter}_path".to_sym, list_opts.merge(format: 'json', page: next_page))
 
       respond(list)

app/models/user_action.rb

@@ -301,8 +301,8 @@ SQL
       builder.where("p.deleted_at is null and p2.deleted_at is null and t.deleted_at is null")
     end
 
-    unless guardian.user && guardian.user.id == user_id
+    unless (guardian.user && guardian.user.id == user_id) || guardian.is_staff?
-      builder.where("a.action_type not in (#{BOOKMARK})")
+      builder.where("a.action_type not in (#{BOOKMARK},#{STAR})")
     end
 
     if !guardian.can_see_private_messages?(user_id) || ignore_private_messages