hitting profiles.json publically displays only public stuff; if you're...

hitting profiles.json publically displays only public stuff; if you're connected to a user, it shows that user's complete profile response

hitting profiles.json publically displays only public stuff; if you're...
d5f511c3 · danielgrippi · c3b0bbd4 · d5f511c3 · d5f511c3
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -3,7 +3,7 @@
 #   the COPYRIGHT file.

 class ProfilesController < ApplicationController
-  before_filter :authenticate_user!
+  before_filter :authenticate_user!, :except => ['show']

  respond_to :html, :except => [:show]
  respond_to :js, :only => :update
@@ -14,11 +14,20 @@ class ProfilesController < ApplicationController
    @person = Person.find_by_guid!(params[:id])

    respond_to do |format|
-      format.json { render :json => @person.as_api_response(:backbone).merge({
-          :location => @person.profile.location,
-          :birthday => @person.profile.formatted_birthday,
-          :bio => @person.profile.bio
-          }) }
+      format.json {
+        public_json = @person.as_api_response(:backbone)
+        extra_json = {}
+
+        if(current_user && current_user.contacts.receiving.where(:person_id => @person.id).first)
+          extra_json = {
+              :location => @person.profile.location,
+              :birthday => @person.profile.formatted_birthday,
+              :bio => @person.profile.bio
+          }
+        end
+
+        render :json => public_json.merge(extra_json)
+      }
    end
  end


--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -15,6 +15,27 @@ describe ProfilesController do
      get :show, :id => @user.person.guid, :format => :json
      JSON.parse(response.body).should include(JSON.parse(@user.person.as_api_response(:backbone).to_json))
    end
+
+    it "returns the user's public information if a user is not logged in" do
+      sign_out :user
+      get :show, :id => @user.person.guid, :format => :json
+      JSON.parse(response.body).should include(JSON.parse(@user.person.as_api_response(:backbone).to_json))
+    end
+
+    it "returns the user's public information if a user is logged in and the visiting user is not receiving" do
+      sign_in :user, alice
+
+      puts alice.contacts.first.person.inspect
+
+      get :show, :id => @user.person.guid, :format => :json
+      response.body.should_not match(/.location./)
+    end
+
+    it "returns the user's private information if a user is logged in and the visiting user is receiving" do
+      sign_in :user, bob
+      get :show, :id => @user.person.guid, :format => :json
+      response.body.should match(/.location./)
+    end
  end

  describe '#edit' do