diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-02-19 11:40:49 -0800 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-02-19 11:40:49 -0800 |
| commit | d388e4bb868602f293b73918981bee1de6176a24 (patch) | |
| tree | ba51b80b60f412519b57aa48865e74f9d1ca8363 /modules/rest | |
| parent | 643fffdba0e595e4e3c4777a52088f81bafded40 (diff) | |
Refactor away the "display_all" construct in User_Profile_Controller.
"display_all" is too coarse, and we should be letting event handlers
make the appropriate decision on what to display and when. This
duplicates some code, but it's now very clear in the event handlers
what's getting shown.
Throw a 404 if we try to view the user profile for a missing user.
The only feature change in this should be that we now display the
name, full name and website for a user to any other registered user,
which makes sense since these are typically public fields.
Don't show any of the edit buttons unless identity::is_writable()
Diffstat (limited to 'modules/rest')
| -rw-r--r-- | modules/rest/helpers/rest_event.php | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/modules/rest/helpers/rest_event.php b/modules/rest/helpers/rest_event.php index f9aa34e3..c46e65c4 100644 --- a/modules/rest/helpers/rest_event.php +++ b/modules/rest/helpers/rest_event.php @@ -76,19 +76,27 @@ class rest_event { } static function show_user_profile($data) { - if ($data->display_all) { - $view = new View("user_profile_rest.html"); - $key = ORM::factory("user_access_token") + // Guests can't see a REST key + if (identity::active_user()->guest) { + return; + } + + // Only logged in users can see their own REST key + if (identity::active_user()->id != $data->user->id) { + return; + } + + $view = new View("user_profile_rest.html"); + $key = ORM::factory("user_access_token") ->where("user_id", "=", $data->user->id) ->find(); - if (!$key->loaded()) { - $key->user_id = $data->user->id; - $key->access_key = md5($data->user->name . rand()); - $key->save(); - } - $view->rest_key = $key->access_key; - $data->content[] = (object)array("title" => t("Rest api"), "view" => $view); + if (!$key->loaded()) { + $key->user_id = $data->user->id; + $key->access_key = md5($data->user->name . rand()); + $key->save(); } + $view->rest_key = $key->access_key; + $data->content[] = (object)array("title" => t("Rest api"), "view" => $view); } } |