Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
D
diaspora
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Milan
diaspora
Commits
e92c8000
Commit
e92c8000
authored
Jul 02, 2015
by
Dennis Schubert
Committed by
Jonne Haß
Jul 02, 2015
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Do not leak private profile fields in JSON format
Signed-off-by:
Dennis Schubert
<
mail@dennis-schubert.de
>
parent
56df5978
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
44 additions
and
29 deletions
+44
-29
app/presenters/person_presenter.rb
app/presenters/person_presenter.rb
+26
-17
app/presenters/profile_presenter.rb
app/presenters/profile_presenter.rb
+16
-10
spec/presenters/person_presenter_spec.rb
spec/presenters/person_presenter_spec.rb
+2
-2
No files found.
app/presenters/person_presenter.rb
View file @
e92c8000
class
PersonPresenter
<
BasePresenter
def
base_hash
{
id:
id
,
guid:
guid
,
name:
name
,
{
id:
id
,
guid:
guid
,
name:
name
,
diaspora_id:
diaspora_handle
}
end
def
full_hash
base_hash
.
merge
(
{
relationship:
relationship
,
block:
is_blocked?
?
BlockPresenter
.
new
(
current_user_person_block
).
base_hash
:
false
,
contact:
(
!
own_profile?
&&
has_contact?
)
?
{
id:
current_user_person_contact
.
id
}
:
false
,
base_hash
.
merge
(
relationship:
relationship
,
block:
is_blocked?
?
BlockPresenter
.
new
(
current_user_person_block
).
base_hash
:
false
,
contact:
(
!
own_profile?
&&
has_contact?
)
?
{
id:
current_user_person_contact
.
id
}
:
false
,
is_own_profile:
own_profile?
}
)
)
end
def
full_hash_with_avatar
full_hash
.
merge
(
{
avatar:
AvatarPresenter
.
new
(
profile
).
base_hash
}
)
full_hash
.
merge
(
avatar:
AvatarPresenter
.
new
(
profile
).
base_hash
)
end
def
full_hash_with_profile
full_hash
.
merge
({
profile:
ProfilePresenter
.
new
(
profile
).
full_hash
})
attrs
=
full_hash
if
own_profile?
||
person_is_following_current_user
attrs
.
merge!
(
profile:
ProfilePresenter
.
new
(
profile
).
private_hash
)
else
attrs
.
merge!
(
profile:
ProfilePresenter
.
new
(
profile
).
public_hash
)
end
attrs
end
def
as_json
(
options
=
{})
def
as_json
(
_
options
=
{})
attrs
=
full_hash_with_avatar
if
own_profile?
||
person_is_following_current_user
attrs
.
merge!
(
{
:location
=>
@presentable
.
location
,
:birthday
=>
@presentable
.
formatted_birthday
,
:bio
=>
@presentable
.
bio
}
)
attrs
.
merge!
(
location:
@presentable
.
location
,
birthday:
@presentable
.
formatted_birthday
,
bio:
@presentable
.
bio
)
end
attrs
...
...
@@ -51,7 +60,7 @@ class PersonPresenter < BasePresenter
contact
=
current_user_person_contact
return
:not_sharing
unless
contact
[
:mutual
,
:sharing
,
:receiving
]
.
find
do
|
status
|
%i(mutual sharing receiving)
.
find
do
|
status
|
contact
.
public_send
(
"
#{
status
}
?"
)
end
||
:not_sharing
end
...
...
app/presenters/profile_presenter.rb
View file @
e92c8000
...
...
@@ -2,20 +2,26 @@ class ProfilePresenter < BasePresenter
include
PeopleHelper
def
base_hash
{
id:
id
,
tags:
tags
.
pluck
(
:name
),
bio:
bio_message
.
plain_text_for_json
,
location:
location_message
.
plain_text_for_json
,
gender:
gender
,
birthday:
formatted_birthday
,
searchable:
searchable
{
id:
id
,
searchable:
searchable
}
end
def
full
_hash
base_hash
.
merge
(
{
def
public
_hash
base_hash
.
merge
(
avatar:
AvatarPresenter
.
new
(
@presentable
).
base_hash
,
})
tags:
tags
.
pluck
(
:name
)
)
end
def
private_hash
public_hash
.
merge
(
bio:
bio_message
.
plain_text_for_json
,
birthday:
formatted_birthday
,
gender:
gender
,
location:
location_message
.
plain_text_for_json
)
end
def
formatted_birthday
...
...
spec/presenters/person_presenter_spec.rb
View file @
e92c8000
...
...
@@ -16,12 +16,12 @@ describe PersonPresenter do
let
(
:presenter
){
PersonPresenter
.
new
(
person
,
current_user
)
}
it
"doesn't share private information when the users aren't connected"
do
expect
(
presenter
.
as_json
).
not_to
have_key
(
:location
)
expect
(
presenter
.
full_hash_with_profile
[
:profile
]
).
not_to
have_key
(
:location
)
end
it
"has private information when the person is sharing with the current user"
do
expect
(
person
).
to
receive
(
:shares_with
).
with
(
current_user
).
and_return
(
true
)
expect
(
presenter
.
as_json
).
to
have_key
(
:location
)
expect
(
presenter
.
full_hash_with_profile
[
:profile
]
).
to
have_key
(
:location
)
end
it
"returns the user's private information if a user is logged in as herself"
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment