From ee2211999cbcda55fcd5f3cfb29048caca658699 Mon Sep 17 00:00:00 2001
From: Suwon Chae <doortts@gmail.com>
Date: Thu, 4 May 2017 04:58:16 +0900
Subject: [PATCH] userinfo: Prevent showing private project name and
 description

See: Yona Github issue #218
---
 app/controllers/UserApp.java   |  3 ++-
 app/views/user/view.scala.html | 19 +++++++++++++++----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/app/controllers/UserApp.java b/app/controllers/UserApp.java
index 2384cf5d2..b3744dc4e 100644
--- a/app/controllers/UserApp.java
+++ b/app/controllers/UserApp.java
@@ -843,7 +843,8 @@ private static List<Project> collectProjects(String loginId, User user, String[]
 
     private static void addProjectNotDupped(List<Project> target, List<Project> foundProjects) {
         for (Project project : foundProjects) {
-            if( !target.contains(project) ) {
+            if( !target.contains(project) &&
+                    AccessControl.isAllowed(UserApp.currentUser(), project.asResource(), Operation.READ)) {
                 target.add(project);
             }
         }
diff --git a/app/views/user/view.scala.html b/app/views/user/view.scala.html
index 370a31674..79c624133 100644
--- a/app/views/user/view.scala.html
+++ b/app/views/user/view.scala.html
@@ -26,6 +26,14 @@
     }
 }
 
+@isCurrentUsersPage = @{
+    if(UserApp.currentUser.loginId.equals(user.loginId)){
+        true
+    } else {
+        false
+    }
+}
+
 @siteLayout(user.loginId, utils.MenuType.USER) {
 <div class="site-breadcrumb-outer">
     <div class="site-breadcrumb-inner">
@@ -49,12 +57,12 @@ <h3>@Messages("userinfo.profile")</h3>
 
                 <ul class="unstyled lst-stacked" style="margin-top:20px;">
                     <li @if(groupNames.contains("own")){class="active"}>
-                    <a href="@routes.UserApp.userInfo(user.loginId, "own")">@Messages("project.createdByMe")<span class="num-badge pull-right">@Project.countProjectsCreatedByUser(user.loginId)</span></a>
+                    <a href="@routes.UserApp.userInfo(user.loginId, "own")">@Messages("project.createdByMe")<span class="num-badge pull-right">@if(isCurrentUsersPage){@Project.countProjectsCreatedByUser(user.loginId)}</span></a>
                     </li>
                     <li @if(groupNames.contains("member")){class="active"}>
-                    <a href="@routes.UserApp.userInfo(user.loginId, "member")">@Messages("project.default.group.member")<span class="num-badge pull-right">@Project.countProjectsJustMemberAndNotOwner(user.loginId)</span></a>
+                    <a href="@routes.UserApp.userInfo(user.loginId, "member")">@Messages("project.default.group.member")<span class="num-badge pull-right">@if(isCurrentUsersPage){@Project.countProjectsJustMemberAndNotOwner(user.loginId)}</span></a>
                     </li>
-                    @if(user.loginId == UserApp.currentUser.loginId){
+                    @if(isCurrentUsersPage){
                         <li @if(groupNames.contains("watching")){class="active"}>
                         <a href="@routes.UserApp.userInfo(user.loginId, "watching")">@Messages("project.default.group.watching")<span class="num-badge pull-right">@user.getWatchingProjects.size</span></a>
                         </li>
@@ -124,7 +132,10 @@ <h3>@Messages("userinfo.profile")</h3>
                         }
                         <ul class="user-streams all-projects">
                             @for(project <- projects){
-                                @partial_projectlist(project, user)
+                                @if(groupNames.contains("watching") && !isCurrentUsersPage){
+                                } else {
+                                    @partial_projectlist(project, user)
+                                }
                             }
                         </ul>
                     </div>