From 4ca8660b1d968eaf7bc5fe50aae433c00d39064f Mon Sep 17 00:00:00 2001
From: Michael Weimann <mail@michael-weimann.eu>
Date: Fri, 2 Jul 2021 16:33:48 +0200
Subject: [PATCH] implement visible authorisation

---
 ki/routes.py                     | 3 +++
 ki/test/test_profile_endpoint.py | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/ki/routes.py b/ki/routes.py
index f9e700d..ac13884 100644
--- a/ki/routes.py
+++ b/ki/routes.py
@@ -116,6 +116,9 @@ def get_user_profile(user_id):
     if profile is None:
         return make_response({}, 404)
 
+    if not profile.visible and profile.user.id != g.user.id:
+        return make_response({}, 403)
+
     return make_response({
         "profile": profile.to_dict(),
     })
diff --git a/ki/test/test_profile_endpoint.py b/ki/test/test_profile_endpoint.py
index 626d104..33b786b 100644
--- a/ki/test/test_profile_endpoint.py
+++ b/ki/test/test_profile_endpoint.py
@@ -139,6 +139,11 @@ class TestProfileEndpoint(ApiTest):
             self.assertEqual(second_language.language_id, "es")
             self.assertEqual(second_language.level, 2)
 
+    def test_get_profile_unauthorised(self):
+
+        response = self.client.get("/users/1/profile")
+        self.assertEqual(response.status_code, 401)
+
     def test_get_profile(self):
         login_data = {"username": "peter", "password": "geheim"}
         login_response = self.client.post("/users/login", data=json.dumps(login_data), content_type="application/json")