From 1a2aee84b21a90ea0b0658520e3b93e6085c8eea Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 23 Jun 2007 14:06:21 +0000
Subject: Fixed confidentiality issue on account/show. Only public projects or
 private projects that the logged in user belongs to are displayed.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@567 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/account_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'app/controllers/account_controller.rb')

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 9b54a90ec..ecf37ed53 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -28,6 +28,11 @@ class AccountController < ApplicationController
   def show
     @user = User.find(params[:id])
     @custom_values = @user.custom_values.find(:all, :include => :custom_field)
+    
+    # show only public projects and private projects that the logged in user is also a member of
+    @memberships = @user.memberships.select do |membership|
+      membership.project.is_public? || (logged_in_user && logged_in_user.role_for_project(membership.project))
+    end
   rescue ActiveRecord::RecordNotFound
     render_404
   end
-- 
cgit v1.2.3