Do not leak photos in the profile sidebar

app/controllers/people_controller.rb

@@ -81,7 +81,8 @@ class PeopleController < ApplicationController
     @aspect = :profile
     @stream = Stream::Person.new(current_user, @person, :max_time => max_time)
     @profile = @person.profile
-    @photos = Photo.where(author_id: @profile.id).order('created_at desc')
+    @photos = photos_from(@person)
+
     unless params[:format] == "json" # hovercard
       if current_user
         @block = current_user.blocks.where(:person_id => @person.id).first
@@ -189,4 +190,14 @@ class PeopleController < ApplicationController
   def remote_profile_with_no_user_session?
     @person.try(:remote?) && !user_signed_in?
   end
+
+  def photos_from(person)
+    photos = if user_signed_in?
+      current_user.photos_from(person)
+    else
+      Photo.where(author_id: person.id, public: true)
+    end
+
+    photos.order('created_at desc')
+  end
 end

app/controllers/photos_controller.rb

@@ -14,7 +14,7 @@ class PhotosController < ApplicationController
   def index
     @post_type = :photos
     @person = Person.find_by_guid(params[:person_id])
-    @photos = Photo.where(author_id: @person.id).order('created_at desc')
+
     if @person
       @contact = current_user.contact_for(@person)
 

spec/controllers/people_controller_spec.rb

@@ -190,6 +190,16 @@ describe PeopleController do
       response.body.should_not include(profile.first_name)
     end
 
+    it "doesn't leak photos in the sidebar" do
+      private_photo = @user.post(:photo, user_file: uploaded_photo, to: @aspect.id, public: false)
+      public_photo = @user.post(:photo, user_file: uploaded_photo, to: @aspect.id, public: true)
+
+      sign_out :user
+      get :show, id: @user.person.to_param
+
+      assigns(:photos).should_not include private_photo
+      assigns(:photos).should include public_photo
+    end
 
     context "when the person is the current user" do
       it "succeeds" do