From cc461b126d30bb7b654719dc18369266aeb5183e Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 24 Aug 2021 16:59:35 +0100
Subject: [PATCH] Correct policing of access to private user details

---
 app/controllers/api/users_controller.rb | 1 +
 app/views/api/users/_user.json.jbuilder | 4 ++--
 app/views/api/users/_user.xml.builder   | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index b4a2efc7c..a452cb930 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -1,6 +1,7 @@
 module Api
   class UsersController < ApiController
     before_action :disable_terms_redirect, :only => [:details]
+    before_action :setup_user_auth, :only => [:show, :index]
     before_action :authorize, :only => [:details, :gpx_files]
 
     authorize_resource
diff --git a/app/views/api/users/_user.json.jbuilder b/app/views/api/users/_user.json.jbuilder
index d89b42bef..8423353dd 100644
--- a/app/views/api/users/_user.json.jbuilder
+++ b/app/views/api/users/_user.json.jbuilder
@@ -4,7 +4,7 @@ json.user do
   json.account_created user.creation_time.xmlschema
   json.description user.description if user.description
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     json.contributor_terms do
       json.agreed user.terms_agreed.present?
       json.pd user.consider_pd
@@ -45,7 +45,7 @@ json.user do
     end
   end
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     if user.home_lat && user.home_lon
       json.home do
         json.lat user.home_lat
diff --git a/app/views/api/users/_user.xml.builder b/app/views/api/users/_user.xml.builder
index d8c6c1c6e..9092f2c96 100644
--- a/app/views/api/users/_user.xml.builder
+++ b/app/views/api/users/_user.xml.builder
@@ -2,7 +2,7 @@ xml.tag! "user", :id => user.id,
                  :display_name => user.display_name,
                  :account_created => user.creation_time.xmlschema do
   xml.tag! "description", user.description if user.description
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     xml.tag! "contributor-terms", :agreed => user.terms_agreed.present?,
                                   :pd => user.consider_pd
   else
@@ -24,7 +24,7 @@ xml.tag! "user", :id => user.id,
                          :active => user.blocks_created.active.size
     end
   end
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     if user.home_lat && user.home_lon
       xml.tag! "home", :lat => user.home_lat,
                        :lon => user.home_lon,
-- 
2.45.1