Fixed confidentiality issue on account/show.

Only public projects or private projects that the logged in user belongs to are displayed.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@567 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 9b54a90ece3b069bde67558f6380d7fab996bdb0..ecf37ed532e797757a4de128912344f183983699 100644 (file)
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -28,6 +28,11 @@ class AccountController < ApplicationController
   def show
     @user = User.find(params[:id])
     @custom_values = @user.custom_values.find(:all, :include => :custom_field)
+    
+    # show only public projects and private projects that the logged in user is also a member of
+    @memberships = @user.memberships.select do |membership|
+      membership.project.is_public? || (logged_in_user && logged_in_user.role_for_project(membership.project))
+    end
   rescue ActiveRecord::RecordNotFound
     render_404
   end

diff --git a/app/views/account/show.rhtml b/app/views/account/show.rhtml
index 19fedb3b6b6e27f2fb604038158a9b8bd9404216..cadd807f096eccf42f5742f4e2dd541797dc66d8 100644 (file)
--- a/app/views/account/show.rhtml
+++ b/app/views/account/show.rhtml
@@ -13,12 +13,12 @@
 </p>
 
 <h3><%=l(:label_project_plural)%></h3>
-<p>
-<% for membership in @user.memberships %>
-       <%= membership.project.name %> (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)
-       <br />
+<ul>
+<% for membership in @memberships %>
+       <li><%= link_to membership.project.name, :controller => 'projects', :action => 'show', :id => membership.project %>
+    (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
 <% end %>
-</p>
+</ul>
 
 <h3><%=l(:label_activity)%></h3>
 <p>