Merge pull request #3788 from gratipay/hidden-giving-fix

Add user.participant to who can see giving numbers
gratipay · Sep 20, 2015 · 1883807 · 1883807
2 parents 2e383b1 + e8a96ea
commit 1883807
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 2 deletions.
diff --git a/gratipay/utils/__init__.py b/gratipay/utils/__init__.py
@@ -136,7 +136,7 @@ def update_cta(website):
     nusers = website.db.one("""
         SELECT nusers FROM paydays
         ORDER BY ts_end DESC LIMIT 1
-    """, default=(0.0, 0))
+    """, default=0)
     nreceiving_from = website.db.one("""
         SELECT nreceiving_from
           FROM teams

diff --git a/templates/profile.html b/templates/profile.html
@@ -52,7 +52,7 @@
         <tr>
             <td class="label">{{ _("Giving") }}</td>
             {% if participant.anonymous_giving %}
-                {% if user.ADMIN %}
+                {% if user.ADMIN or (user.participant == participant)%}
                 <td>{{ format_currency(participant.giving, 'USD') }}</td>
                 <td>[{{ participant.ngiving_to }}]</td>
                 {% else %}

diff --git a/tests/py/test_privacy_json.py b/tests/py/test_privacy_json.py
@@ -58,3 +58,57 @@ def test_participant_does_show_up_on_search(self):
     def test_participant_doesnt_show_up_on_search(self):
         self.hit_privacy('POST', data={'toggle': 'is_searchable'})
         assert 'alice' not in self.client.GET("/search.json?q=alice").body
+
+    # Related to anonymous_giving
+
+    def test_anon_can_see_giving_for_non_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=False)
+        assert '10.79' in self.client.GET('/~bob/').body
+        assert '342' in self.client.GET('/~bob/').body
+
+    def test_auth_can_see_giving_for_non_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=False)
+        assert '10.79' in self.client.GET('/~bob/', auth_as='alice').body
+        assert '342' in self.client.GET('/~bob/', auth_as='alice').body
+
+    def test_admin_can_see_giving_for_non_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=False)
+        self.make_participant('admin', is_admin=True)
+        assert '10.79' in self.client.GET('/~bob/', auth_as='admin').body
+        assert '342' in self.client.GET('/~bob/', auth_as='admin').body
+        assert '[342]' not in self.client.GET('/~bob/', auth_as='admin').body
+
+    def test_self_can_see_giving_for_non_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=False)
+        assert '10.79' in self.client.GET('/~bob/', auth_as='bob').body.decode('utf8')
+        assert '342' in self.client.GET('/~bob/', auth_as='bob').body.decode('utf8')
+        assert '[342]' not in self.client.GET('/~bob/', auth_as='bob').body.decode('utf8')
+
+    def test_anon_cannot_see_giving_for_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=True)
+        assert '10.79' not in self.client.GET('/~bob/').body
+        assert '342' not in self.client.GET('/~bob/').body
+
+    def test_auth_cannot_see_giving_for_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=True)
+        assert '10.79' not in self.client.GET('/~bob/', auth_as='alice').body
+        assert '342' not in self.client.GET('/~bob/', auth_as='alice').body
+
+    def test_admin_can_see_giving_for_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=True)
+        self.make_participant('admin', is_admin=True)
+        assert '10.79' in self.client.GET('/~bob/', auth_as='admin').body
+        assert '[342]' in self.client.GET('/~bob/', auth_as='admin').body
+
+    def test_self_can_see_giving_for_anonymous_giving(self):
+        self.make_participant('bob', claimed_time='now',
+                              giving=10.79, ngiving_to=342, anonymous_giving=True)
+        assert '10.79' in self.client.GET('/~bob/', auth_as='bob').body.decode('utf8')
+        assert '[342]' in self.client.GET('/~bob/', auth_as='bob').body.decode('utf8')