From d388e4bb868602f293b73918981bee1de6176a24 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Fri, 19 Feb 2010 11:40:49 -0800
Subject: Refactor away the "display_all" construct in User_Profile_Controller.
 "display_all" is too coarse, and we should be letting event handlers make the
 appropriate decision on what to display and when.  This duplicates some code,
 but it's now very clear in the event handlers what's getting shown.

Throw a 404 if we try to view the user profile for a missing user.

The only feature change in this should be that we now display the
name, full name and website for a user to any other registered user,
which makes sense since these are typically public fields.

Don't show any of the edit buttons unless identity::is_writable()
---
 modules/rest/helpers/rest_event.php | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

(limited to 'modules/rest/helpers')

diff --git a/modules/rest/helpers/rest_event.php b/modules/rest/helpers/rest_event.php
index f9aa34e3..c46e65c4 100644
--- a/modules/rest/helpers/rest_event.php
+++ b/modules/rest/helpers/rest_event.php
@@ -76,19 +76,27 @@ class rest_event {
   }
 
   static function show_user_profile($data) {
-    if ($data->display_all) {
-      $view = new View("user_profile_rest.html");
-      $key = ORM::factory("user_access_token")
+    // Guests can't see a REST key
+    if (identity::active_user()->guest) {
+      return;
+    }
+
+    // Only logged in users can see their own REST key
+    if (identity::active_user()->id != $data->user->id) {
+      return;
+    }
+
+    $view = new View("user_profile_rest.html");
+    $key = ORM::factory("user_access_token")
         ->where("user_id", "=", $data->user->id)
         ->find();
 
-      if (!$key->loaded()) {
-        $key->user_id = $data->user->id;
-        $key->access_key = md5($data->user->name . rand());
-        $key->save();
-      }
-      $view->rest_key = $key->access_key;
-      $data->content[] = (object)array("title" => t("Rest api"), "view" => $view);
+    if (!$key->loaded()) {
+      $key->user_id = $data->user->id;
+      $key->access_key = md5($data->user->name . rand());
+      $key->save();
     }
+    $view->rest_key = $key->access_key;
+    $data->content[] = (object)array("title" => t("Rest api"), "view" => $view);
   }
 }
-- 
cgit v1.2.3