Correct policing of access to private user details

[rails.git] / app / views / api / users / _user.json.jbuilder

diff --git a/app/views/api/users/_user.json.jbuilder b/app/views/api/users/_user.json.jbuilder
index 9629e8fa50276a53770f1123023a2b46e1253c02..8423353dd3a1af1f8e534e0bc8e659ef12cb3a2d 100644 (file)
--- a/app/views/api/users/_user.json.jbuilder
+++ b/app/views/api/users/_user.json.jbuilder
@@ -4,7 +4,7 @@ json.user do
   json.account_created user.creation_time.xmlschema
   json.description user.description if user.description
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     json.contributor_terms do
       json.agreed user.terms_agreed.present?
       json.pd user.consider_pd
@@ -45,7 +45,7 @@ json.user do
     end
   end
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     if user.home_lat && user.home_lon
       json.home do
         json.lat user.home_lat
@@ -54,11 +54,7 @@ json.user do
       end
     end
 
-    if user.languages
-      json.languages do
-        json.array! user.languages.split(",")
-      end
-    end
+    json.languages user.languages if user.languages?
 
     json.messages do
       json.received do