Correct policing of access to private user details

author Tom Hughes <tom@compton.nu>

Tue, 24 Aug 2021 15:59:35 +0000 (16:59 +0100)

committer Tom Hughes <tom@compton.nu>

Tue, 24 Aug 2021 16:49:08 +0000 (17:49 +0100)
author Tom Hughes <tom@compton.nu>
Tue, 24 Aug 2021 15:59:35 +0000 (16:59 +0100)
committer Tom Hughes <tom@compton.nu>
Tue, 24 Aug 2021 16:49:08 +0000 (17:49 +0100)
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb

index b4a2efc7c3043fd06d9aee6b7deaaa76dab6f59a..a452cb9301ead6467f3c8ed6852156c55ba71e56 100644 (file)
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -1,6 +1,7 @@
  module Api
    class UsersController < ApiController
      before_action :disable_terms_redirect, :only => [:details]
+    before_action :setup_user_auth, :only => [:show, :index]
      before_action :authorize, :only => [:details, :gpx_files]
  
      authorize_resource
diff --git a/app/views/api/users/_user.json.jbuilder b/app/views/api/users/_user.json.jbuilder

index d89b42befcf8a8725e6332945d060cb5e6001034..8423353dd3a1af1f8e534e0bc8e659ef12cb3a2d 100644 (file)
--- a/app/views/api/users/_user.json.jbuilder
+++ b/app/views/api/users/_user.json.jbuilder
@@ -4,7 +4,7 @@ json.user do
    json.account_created user.creation_time.xmlschema
    json.description user.description if user.description
  
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
      json.contributor_terms do
        json.agreed user.terms_agreed.present?
        json.pd user.consider_pd
@@ -45,7 +45,7 @@ json.user do
      end
    end
  
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
      if user.home_lat && user.home_lon
        json.home do
          json.lat user.home_lat
diff --git a/app/views/api/users/_user.xml.builder b/app/views/api/users/_user.xml.builder

index d8c6c1c6ef876fe50722697d194840fb21508b9a..9092f2c96bacaaf1cb2233756716c41d36ecd0fc 100644 (file)
--- a/app/views/api/users/_user.xml.builder
+++ b/app/views/api/users/_user.xml.builder
@@ -2,7 +2,7 @@ xml.tag! "user", :id => user.id,
                   :display_name => user.display_name,
                   :account_created => user.creation_time.xmlschema do
    xml.tag! "description", user.description if user.description
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
      xml.tag! "contributor-terms", :agreed => user.terms_agreed.present?,
                                    :pd => user.consider_pd
    else
@@ -24,7 +24,7 @@ xml.tag! "user", :id => user.id,
                           :active => user.blocks_created.active.size
      end
    end
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
      if user.home_lat && user.home_lon
        xml.tag! "home", :lat => user.home_lat,
                         :lon => user.home_lon,
author	Tom Hughes <tom@compton.nu>
	Tue, 24 Aug 2021 15:59:35 +0000 (16:59 +0100)
committer	Tom Hughes <tom@compton.nu>
	Tue, 24 Aug 2021 16:49:08 +0000 (17:49 +0100)
app/controllers/api/users_controller.rb		patch \| blob \| history
app/views/api/users/_user.json.jbuilder		patch \| blob \| history
app/views/api/users/_user.xml.builder		patch \| blob \| history