From 554d0a93d077ca9fb2e90292bcb248501a9c9ff3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonne=20Ha=C3=9F?= Date: Tue, 20 Aug 2013 20:56:37 +0200 Subject: [PATCH] Do not leak photos in the profile sidebar --- app/controllers/people_controller.rb | 13 ++++++++++++- app/controllers/photos_controller.rb | 2 +- spec/controllers/people_controller_spec.rb | 10 ++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/app/controllers/people_controller.rb b/app/controllers/people_controller.rb index ba2512323..3f14f5586 100644 --- a/app/controllers/people_controller.rb +++ b/app/controllers/people_controller.rb @@ -81,7 +81,8 @@ class PeopleController < ApplicationController @aspect = :profile @stream = Stream::Person.new(current_user, @person, :max_time => max_time) @profile = @person.profile - @photos = Photo.where(author_id: @profile.id).order('created_at desc') + @photos = photos_from(@person) + unless params[:format] == "json" # hovercard if current_user @block = current_user.blocks.where(:person_id => @person.id).first @@ -189,4 +190,14 @@ class PeopleController < ApplicationController def remote_profile_with_no_user_session? @person.try(:remote?) && !user_signed_in? end + + def photos_from(person) + photos = if user_signed_in? + current_user.photos_from(person) + else + Photo.where(author_id: person.id, public: true) + end + + photos.order('created_at desc') + end end diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb index 1773e274d..c70a4a920 100644 --- a/app/controllers/photos_controller.rb +++ b/app/controllers/photos_controller.rb @@ -14,7 +14,7 @@ class PhotosController < ApplicationController def index @post_type = :photos @person = Person.find_by_guid(params[:person_id]) - @photos = Photo.where(author_id: @person.id).order('created_at desc') + if @person @contact = current_user.contact_for(@person) diff --git a/spec/controllers/people_controller_spec.rb b/spec/controllers/people_controller_spec.rb index 75980194a..0017400ed 100644 --- a/spec/controllers/people_controller_spec.rb +++ b/spec/controllers/people_controller_spec.rb @@ -190,6 +190,16 @@ describe PeopleController do response.body.should_not include(profile.first_name) end + it "doesn't leak photos in the sidebar" do + private_photo = @user.post(:photo, user_file: uploaded_photo, to: @aspect.id, public: false) + public_photo = @user.post(:photo, user_file: uploaded_photo, to: @aspect.id, public: true) + + sign_out :user + get :show, id: @user.person.to_param + + assigns(:photos).should_not include private_photo + assigns(:photos).should include public_photo + end context "when the person is the current user" do it "succeeds" do