houdini/app/controllers/profiles_controller.rb

# License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
class ProfilesController < ApplicationController

  helper_method :authenticate_profile_owner!

	before_filter :authenticate_profile_owner!, only: [:update, :fundraisers, :donations_history]

	# get /profiles/:id
	# public profile
	def show
		@profile = Profile.find(params[:id])
		@profile_nonprofits = Psql.execute(Qexpr.new.select("DISTINCT nonprofits.*").from(:nonprofits).join(:supporters, "supporters.nonprofit_id=nonprofits.id AND supporters.profile_id=#{@profile.id}"))
    @campaigns = @profile.campaigns.published.includes(:nonprofit)
		if @profile.anonymous? && current_user_id != @profile.user_id && !:super_admin
			flash[:notice] = 'That user does not have a public profile.'
			redirect_to(request.env["HTTP_REFERER"] || root_url)
			return
		end
	end

	# get /profiles/:id/donations_history
	def donations_history
    validate
		@profile =  Profile.find(params[:id])
		@recurring_donations = @profile.recurring_donations.where(:active => true).includes(:nonprofit)
		@donations = @profile.donations.includes(:nonprofit)
	end

  # get /profiles/:id/fundraisers
  def fundraisers
    validate
    current_user = Profile.find(params[:id]).user
    @profile = current_user.profile
    @edited_campaigns = Campaign.where("profile_id=#{@profile.id}").order("end_datetime DESC")
  end

  # get /profiles/:id/events
  def events
    render json:  QueryEventMetrics.for_listings('profile', params[:id], params)
  end

	# put /profiles/:id
	def update
    if current_role?(:super_admin) # can update other profiles
      @profile = Profile.find(params[:id])
    else
      @profile = current_user.profile
    end
		@profile.update_attributes(params[:profile])
		json_saved @profile, 'Profile updated'
	end

  private

  def authenticate_profile_owner!()
    if (!current_role?(:super_associate) &&
        !current_role?(:super_admin) &&
        (!current_user ||
            !current_user.profile ||
            current_user.profile.id != params[:id].to_i))
      block_with_sign_in
    end
  end

  def validate
    if !current_role?(:super_admin) && current_user.profile.id != params[:id].to_i
      flash[:notice] = "Sorry, you don't have access to that page"
      redirect_to root_url
    end
  end
end
Relicense all .rb files under new project license. The primary license of the project is changing to: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later with some specific files to be licensed under the one of two licenses: CC0-1.0 LGPL-3.0-or-later This commit is one of the many steps to relicense the entire codebase. Documentation granting permission for this relicensing (from all past contributors who hold copyrights) is on file with Software Freedom Conservancy, Inc. 2018-03-25 12:15:39 -04:00			`# License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later`
Initial commit. Previous history maintained by CommitChange 2018-03-25 13:30:42 -04:00			`class ProfilesController < ApplicationController`

			`helper_method :authenticate_profile_owner!`

			`before_filter :authenticate_profile_owner!, only: [:update, :fundraisers, :donations_history]`

			`# get /profiles/:id`
			`# public profile`
			`def show`
			`@profile = Profile.find(params[:id])`
			`@profile_nonprofits = Psql.execute(Qexpr.new.select("DISTINCT nonprofits.*").from(:nonprofits).join(:supporters, "supporters.nonprofit_id=nonprofits.id AND supporters.profile_id=#{@profile.id}"))`
			`@campaigns = @profile.campaigns.published.includes(:nonprofit)`
			`if @profile.anonymous? && current_user_id != @profile.user_id && !:super_admin`
			`flash[:notice] = 'That user does not have a public profile.'`
			`redirect_to(request.env["HTTP_REFERER"] \|\| root_url)`
			`return`
			`end`
			`end`

			`# get /profiles/:id/donations_history`
			`def donations_history`
			`validate`
			`@profile = Profile.find(params[:id])`
			`@recurring_donations = @profile.recurring_donations.where(:active => true).includes(:nonprofit)`
			`@donations = @profile.donations.includes(:nonprofit)`
			`end`

			`# get /profiles/:id/fundraisers`
			`def fundraisers`
			`validate`
			`current_user = Profile.find(params[:id]).user`
			`@profile = current_user.profile`
			`@edited_campaigns = Campaign.where("profile_id=#{@profile.id}").order("end_datetime DESC")`
			`end`

			`# get /profiles/:id/events`
			`def events`
			`render json: QueryEventMetrics.for_listings('profile', params[:id], params)`
			`end`

			`# put /profiles/:id`
			`def update`
			`if current_role?(:super_admin) # can update other profiles`
			`@profile = Profile.find(params[:id])`
			`else`
			`@profile = current_user.profile`
			`end`
			`@profile.update_attributes(params[:profile])`
			`json_saved @profile, 'Profile updated'`
			`end`

			`private`

			`def authenticate_profile_owner!()`
			`if (!current_role?(:super_associate) &&`
			`!current_role?(:super_admin) &&`
			`(!current_user \|\|`
			`!current_user.profile \|\|`
			`current_user.profile.id != params[:id].to_i))`
			`block_with_sign_in`
			`end`
			`end`

			`def validate`
			`if !current_role?(:super_admin) && current_user.profile.id != params[:id].to_i`
			`flash[:notice] = "Sorry, you don't have access to that page"`
			`redirect_to root_url`
			`end`
			`end`
			`end`