unless requested by admin or moderator.
timestamps()
end
- def auth_active?(user), do: user.info && !user.info.confirmation_pending
+ def auth_active?(%User{} = user), do: user.info && !user.info.confirmation_pending
+
+ def superuser?(%User{} = user), do: user.info && User.Info.superuser?(user.info)
def avatar_url(user) do
case user.avatar do
# subject _> Where is this used?
end
+ def superuser?(info), do: info.is_admin || info.is_moderator
+
def set_activation_status(info, deactivated) do
params = %{deactivated: deactivated}
end
def user(%{assigns: %{user: for_user}} = conn, %{"id" => id}) do
- with %User{} = user <- Repo.get(User, id) do
+ with %User{} = user <- Repo.get(User, id),
+ true <- User.auth_active?(user) || user.id == for_user.id || User.superuser?(for_user) do
account = AccountView.render("account.json", %{user: user, for: for_user})
json(conn, account)
else
end
def show_user(conn, params) do
- with {:ok, shown} <- TwitterAPI.get_user(params) do
+ for_user = conn.assigns.user
+
+ with {:ok, shown} <- TwitterAPI.get_user(params),
+ true <- User.auth_active?(shown) || for_user && (for_user.id == shown.id || User.superuser?(for_user)) do
params =
- if user = conn.assigns.user do
- %{user: shown, for: user}
+ if for_user do
+ %{user: shown, for: for_user}
else
%{user: shown}
end
else
{:error, msg} ->
bad_request_reply(conn, msg)
+
+ false ->
+ conn
+ |> put_status(404)
+ |> json(%{error: "Unconfirmed user"})
end
end
projects / akkoma / commitdiff