Don't show a member's email except for itself and the admin.

TurtleShip · Dec 28, 2015 · f86ce60 · f86ce60
1 parent 9d9192b
commit f86ce60
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 14 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -12,11 +12,18 @@ def index
   def show
     @user = target_user
     redirect_to root_url unless @user.activated?
-    @user_basic_info = {
-        email: @user.email,
+
+    @user_basic_info = {}
+
+    # A user's email will be only visible to itself and the admin for privacy reasons.
+    if logged_in? && (current_user?(@user) || current_user.admin?)
+      @user_basic_info[:email] = @user.email
+    end
+
+    @user_basic_info.merge!({
         firstname: @user.firstname,
         lastname: @user.lastname
-    }
+    })
   end
 
   def new

diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
@@ -3,8 +3,9 @@
 class UsersControllerTest < ActionController::TestCase
 
   def setup
-    @user = users(:Seulgi)
-    @other_user = users(:Taejung)
+    @admin = users(:Seulgi)
+    @member = users(:Taejung)
+    @other_member = users(:Hansol)
   end
 
   test 'a guest can view index' do
@@ -13,29 +14,29 @@ def setup
   end
 
   test 'should redirect edit when not logged in' do
-    get :edit, id: @user
+    get :edit, id: @member
     assert_not_empty flash
     assert_redirected_to login_url
   end
 
   test 'should redirect update when not logged in' do
-    patch :update, id: @user, user: {
+    patch :update, id: @member, user: {
                      username: 'valid_new_name'
                  }
     assert_not_empty flash
     assert_redirected_to login_url
   end
 
   test 'should redirect edit when logged in as wrong user' do
-    log_in_as(@other_user)
-    get :edit, id: @user
+    log_in_as(@other_member)
+    get :edit, id: @member
     assert_not_empty flash
     assert_redirected_to users_path
   end
 
   test 'should redirect update when logged in as wrong user' do
-    log_in_as(@other_user)
-    patch :update, id: @user, user: {
+    log_in_as(@other_member)
+    patch :update, id: @member, user: {
                      username: 'valid_new_name'
                  }
     assert_not_empty flash
@@ -44,21 +45,47 @@ def setup
 
   test 'should redirect destroy when not logged in' do
     assert_no_difference 'User.count' do
-      delete :destroy, id: @user
+      delete :destroy, id: @member
     end
 
     assert_not_empty flash
     assert_redirected_to login_url
   end
 
   test 'should redirect destroy when logged in as a non-admin' do
-    log_in_as(@other_user)
+    log_in_as(@other_member)
     assert_no_difference 'User.count' do
-      delete :destroy, id: @user
+      delete :destroy, id: @member
     end
 
     assert_not_empty flash
     assert_redirected_to users_path
   end
+
+  test 'a guest cannot see a member email' do
+    get :show, id: @member.id
+    user_info = assigns(:user_basic_info)
+    assert_nil user_info[:email]
+  end
+
+  test 'a member cannot see other member email' do
+    log_in_as @other_member
+    get :show, id: @member.id
+    user_info = assigns(:user_basic_info)
+    assert_nil user_info[:email]
+  end
 
+  test 'a member can see its own email' do
+    log_in_as @member
+    get :show, id: @member
+    user_info = assigns(:user_basic_info)
+    assert_not_nil user_info[:email]
+  end
+
+  test 'an admin can see any member email' do
+    log_in_as @admin
+    get :show, id: @member
+    user_info = assigns(:user_basic_info)
+    assert_not_nil user_info[:email]
+  end
 end