benburwell
commented
9 years ago So I think we don't need the display_self route anymore. Cause either they will be using the edit form to edit their own info, or an admin will be using the edit for to edit someone else. There's no longer a use case for a member viewing another member's info. I don't remember off the top of my head all the places that link to this route, but a quick grep should tell you fairly easily.
Also, you're right, we should probably not allow people without permission to see the edit form at all. I think it would be as simple as a little if-statement using the boolean variables that we are already passing to the template engine, with a redirect if they are not authorized. What do you think?
jmankhan
display_self now always sends info to edit_form, as long as the viewer is a member.
edit_form now compares the viewer's member id to the member id of the information, if they are the same, it will set edit_member to true.
The only way a person could view another person's info without the permission is if they type in their id directly into the url (which I tested of course). Should we disable this somehow, since you can still view some potentially sensitive information? They can't change anything of course, but they can view it.