Merge branch 'stable' into develop

app/models/person.rb

@@ -299,11 +299,6 @@ class Person < ActiveRecord::Base
     end
   end
 
-  #gross method pulled out from controller, not exactly sure how it should be used.
-  def shares_with(user)
-    user.contacts.receiving.where(:person_id => self.id).first if user
-  end
-
   # @param person [Person]
   # @param url [String]
   def update_url(url)

app/presenters/person_presenter.rb

@@ -41,7 +41,9 @@ class PersonPresenter < BasePresenter
   end
 
   def person_is_following_current_user
-    @presentable.shares_with(current_user)
+    return false unless current_user
+    contact = current_user_person_contact
+    contact && contact.sharing?
   end
 
   def full_hash_with_profile

spec/controllers/people_controller_spec.rb

@@ -270,6 +270,11 @@ describe PeopleController, :type => :controller do
         expect(response).to be_redirect
         expect(response).to redirect_to new_user_session_path
       end
+
+      it "leaks no private profile info" do
+        get :show, id: @person.to_param
+        expect(response.body).not_to include(@person.profile.bio)
+      end
     end
 
     context "when the person is a contact of the current user" do
@@ -295,6 +300,11 @@ describe PeopleController, :type => :controller do
           note.reload
         }.to change(Notification.where(:unread => true), :count).by(-1)
       end
+
+      it "includes private profile info" do
+        get :show, id: @person.to_param
+        expect(response.body).to include(@person.profile.bio)
+      end
     end
 
     context "when the person is not a contact of the current user" do
@@ -311,6 +321,24 @@ describe PeopleController, :type => :controller do
         get :show, :id => @person.to_param, :format => :mobile
         expect(response).to be_success
       end
+
+      it "leaks no private profile info" do
+        get :show, id: @person.to_param
+        expect(response.body).not_to include(@person.profile.bio)
+      end
+    end
+
+    context "when the user is following the person" do
+      before do
+        sign_out :user
+        sign_in :user, peter
+        @person = alice.person
+      end
+
+      it "leaks no private profile info" do
+        get :show, id: @person.to_param
+        expect(response.body).not_to include(@person.profile.bio)
+      end
     end
   end
 

spec/presenters/person_presenter_spec.rb

@@ -4,6 +4,11 @@ describe PersonPresenter do
   let(:profile_user) { FactoryGirl.create(:user_with_aspect) }
   let(:person) { profile_user.person }
 
+  let(:mutual_contact) { double(id: 1, mutual?: true,  sharing?: true,  receiving?: true) }
+  let(:receiving_contact) { double(id: 1, mutual?: false, sharing?: false, receiving?: true)  }
+  let(:sharing_contact) { double(id: 1, mutual?: false, sharing?: true,  receiving?: false) }
+  let(:non_contact) { double(id: 1, mutual?: false, sharing?: false, receiving?: false) }
+
   describe "#as_json" do
     context "with no current_user" do
       it "returns the user's basic profile" do
@@ -22,17 +27,26 @@ describe PersonPresenter do
     end
 
     context "with a current_user" do
-      let(:current_user) { FactoryGirl.create(:user)}
+      let(:current_user) { FactoryGirl.create(:user) }
       let(:presenter){ PersonPresenter.new(person, current_user) }
       # here private information == addtional user profile, because additional profile by default is private
 
       it "doesn't share private information when the users aren't connected" do
+        allow(current_user).to receive(:contact_for) { non_contact }
+        expect(person.profile.public_details).to be_falsey
+        expect(presenter.as_json[:show_profile_info]).to be_falsey
+        expect(presenter.as_json[:profile]).not_to have_key(:location)
+      end
+
+      it "doesn't share private information when the current user is sharing with the person" do
+        allow(current_user).to receive(:contact_for) { receiving_contact }
         expect(person.profile.public_details).to be_falsey
         expect(presenter.as_json[:show_profile_info]).to be_falsey
         expect(presenter.as_json[:profile]).not_to have_key(:location)
       end
 
       it "shares private information when the users aren't connected, but profile is public" do
+        allow(current_user).to receive(:contact_for) { non_contact }
         person.profile.public_details = true
         expect(presenter.as_json[:show_profile_info]).to be_truthy
         expect(presenter.as_json[:relationship]).to be(:not_sharing)
@@ -40,7 +54,15 @@ describe PersonPresenter do
       end
 
       it "has private information when the person is sharing with the current user" do
-        expect(person).to receive(:shares_with).with(current_user).and_return(true)
+        allow(current_user).to receive(:contact_for) { sharing_contact }
+        expect(person.profile.public_details).to be_falsey
+        pr_json = presenter.as_json
+        expect(pr_json[:show_profile_info]).to be_truthy
+        expect(pr_json[:profile]).to have_key(:location)
+      end
+
+      it "has private information when the relationship is mutual" do
+        allow(current_user).to receive(:contact_for) { mutual_contact }
         expect(person.profile.public_details).to be_falsey
         pr_json = presenter.as_json
         expect(pr_json[:show_profile_info]).to be_truthy
@@ -58,10 +80,6 @@ describe PersonPresenter do
 
   describe "#full_hash" do
     let(:current_user) { FactoryGirl.create(:user) }
-    let(:mutual_contact) { double(:id => 1, :mutual? => true,  :sharing? => true,  :receiving? => true ) }
-    let(:receiving_contact) { double(:id => 1, :mutual? => false, :sharing? => false, :receiving? => true)  }
-    let(:sharing_contact) { double(:id => 1, :mutual? => false, :sharing? => true,  :receiving? => false) }
-    let(:non_contact) { double(:id => 1, :mutual? => false, :sharing? => false, :receiving? => false) }
 
     before do
       @p = PersonPresenter.new(person, current_user)