From d5f511c32545066c1be50661f1fb7153f4174b87 Mon Sep 17 00:00:00 2001
From: danielgrippi <danielgrippi@gmail.com>
Date: Sat, 28 Apr 2012 17:05:25 -0700
Subject: [PATCH] hitting profiles.json publically displays only public stuff;
 if you're connected to a user, it shows that user's complete profile response

---
 app/controllers/profiles_controller.rb       | 21 ++++++++++++++------
 spec/controllers/profiles_controller_spec.rb | 21 ++++++++++++++++++++
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 0827a01d2..8b8f59091 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -3,7 +3,7 @@
 #   the COPYRIGHT file.
 
 class ProfilesController < ApplicationController
-  before_filter :authenticate_user!
+  before_filter :authenticate_user!, :except => ['show']
 
   respond_to :html, :except => [:show]
   respond_to :js, :only => :update
@@ -14,11 +14,20 @@ class ProfilesController < ApplicationController
     @person = Person.find_by_guid!(params[:id])
 
     respond_to do |format|
-      format.json { render :json => @person.as_api_response(:backbone).merge({
-          :location => @person.profile.location,
-          :birthday => @person.profile.formatted_birthday,
-          :bio => @person.profile.bio
-          }) }
+      format.json {
+        public_json = @person.as_api_response(:backbone)
+        extra_json = {}
+
+        if(current_user && current_user.contacts.receiving.where(:person_id => @person.id).first)
+          extra_json = {
+              :location => @person.profile.location,
+              :birthday => @person.profile.formatted_birthday,
+              :bio => @person.profile.bio
+          }
+        end
+
+        render :json => public_json.merge(extra_json)
+      }
     end
   end
 
diff --git a/spec/controllers/profiles_controller_spec.rb b/spec/controllers/profiles_controller_spec.rb
index 3db5e763f..b7a457642 100644
--- a/spec/controllers/profiles_controller_spec.rb
+++ b/spec/controllers/profiles_controller_spec.rb
@@ -15,6 +15,27 @@ describe ProfilesController do
       get :show, :id => @user.person.guid, :format => :json
       JSON.parse(response.body).should include(JSON.parse(@user.person.as_api_response(:backbone).to_json))
     end
+
+    it "returns the user's public information if a user is not logged in" do
+      sign_out :user
+      get :show, :id => @user.person.guid, :format => :json
+      JSON.parse(response.body).should include(JSON.parse(@user.person.as_api_response(:backbone).to_json))
+    end
+
+    it "returns the user's public information if a user is logged in and the visiting user is not receiving" do
+      sign_in :user, alice
+
+      puts alice.contacts.first.person.inspect
+
+      get :show, :id => @user.person.guid, :format => :json
+      response.body.should_not match(/.location./)
+    end
+
+    it "returns the user's private information if a user is logged in and the visiting user is receiving" do
+      sign_in :user, bob
+      get :show, :id => @user.person.guid, :format => :json
+      response.body.should match(/.location./)
+    end
   end
 
   describe '#edit' do