Merge pull request #2016 from Sefaria/chore/sc-29104/remove-private-f…

…ields-from-profile-response

Chore/sc 29104/remove private fields from profile response

reader/views.py

@@ -3499,10 +3499,12 @@ def user_profile(request, username):
     if not requested_profile.user.is_active:
         raise Http404('Profile is inactive.')
 
+    owner_of_profile = request.user.is_authenticated and request.user.id == requested_profile.id
+
     tab = request.GET.get("tab", "sheets")
     props = {
         "initialMenu":  "profile",
-        "initialProfile": requested_profile.to_api_dict(),
+        "initialProfile": requested_profile.to_api_dict(basic=not owner_of_profile),
         "initialTab": tab,
     }
     title = _("%(full_name)s on Sefaria") % {"full_name": requested_profile.full_name}
@@ -3514,14 +3516,24 @@ def user_profile(request, username):
 
 
 @catch_error_as_json
-def profile_api(request):
+def profile_api(request, slug=None):
     """
     API for user profiles.
     """
-    if not request.user.is_authenticated:
-        return jsonResponse({"error": _("You must be logged in to update your profile.")})
+    if request.method == "GET":
+        profile = UserProfile(slug=slug)
+        if not slug or profile.id is None:
+            raise Http404("Please Supply a valid user identification")
+        owner_of_profile = request.user.is_authenticated and request.user.id == profile.id
+        return jsonResponse(profile.to_api_dict(basic = not owner_of_profile))
+
+    elif request.method == "POST":
+        # The POST only works for the logged in user, which is more common for a website view rather than API.
+        # If the API were to be consistent, we might need to add ability to post updates for any user,
+        # and of course limit authorization on who can do that
+        if not request.user.is_authenticated:
+            return jsonResponse({"error": _("You must be logged in to update your profile.")})
 
-    if request.method == "POST":
         profileJSON = request.POST.get("json")
         if not profileJSON:
             return jsonResponse({"error": "No post JSON."})
@@ -3537,6 +3549,7 @@ def profile_api(request):
         else:
             profile.save()
             return jsonResponse(profile.to_mongo_dict())
+
     return jsonResponse({"error": "Unsupported HTTP method."})
 
 
@@ -3585,14 +3598,6 @@ def account_user_update(request):
     return jsonResponse({"error": "Unsupported HTTP method."})
 
 
-@catch_error_as_json
-def profile_get_api(request, slug):
-    if request.method == "GET":
-        profile = UserProfile(slug=slug)
-        return jsonResponse(profile.to_api_dict())
-    return jsonResponse({"error": "Unsupported HTTP method."})
-
-
 @catch_error_as_json
 def profile_follow_api(request, ftype, slug):
     if request.method == "GET":

sefaria/model/user_profile.py

@@ -686,25 +686,24 @@ def to_api_dict(self, basic=False):
                 "slug": self.slug,
                 "profile_pic_url": self.profile_pic_url,
                 "full_name": self.full_name,
+                "followers": self.followers.uids,
+                "followees": self.followees.uids,
+                "profile_pic_url": self.profile_pic_url,
+                "jewish_education": self.jewish_education,
+                "bio": self.bio,
+                "website": self.website,
+                "location": self.location,
+                "public_email": self.public_email,
+                "facebook": self.facebook,
+                "twitter": self.twitter,
+                "linkedin": self.linkedin,
+                "youtube": self.youtube,
                 "position": self.position,
                 "organization": self.organization
             }
         if basic:
             return dictionary
         other_info = {
-            "full_name":             self.full_name,
-            "followers":             self.followers.uids,
-            "followees":             self.followees.uids,
-            "profile_pic_url":       self.profile_pic_url,
-            "jewish_education":      self.jewish_education,
-            "bio":                   self.bio,
-            "website":               self.website,
-            "location":              self.location,
-            "public_email":          self.public_email,
-            "facebook":              self.facebook,
-            "twitter":               self.twitter,
-            "linkedin":              self.linkedin,
-            "youtube":               self.youtube,
             "pinned_sheets":         self.pinned_sheets,
             "show_editor_toggle":    self.show_editor_toggle,
             "uses_new_editor":       self.uses_new_editor,

sefaria/urls.py

@@ -84,13 +84,13 @@
     url(r'^profile/(?P<username>[^/]+)/?$', reader_views.user_profile),
     url(r'^settings/account?$', reader_views.account_settings),
     url(r'^settings/profile?$', reader_views.edit_profile),
+    url(r'^settings/account/user$', reader_views.account_user_update),
     url(r'^interface/(?P<language>english|hebrew)$', reader_views.interface_language_redirect),
     url(r'^api/profile/user_history$', reader_views.user_history_api),
     url(r'^api/profile/sync$', reader_views.profile_sync_api),
     url(r'^api/profile/upload-photo$', reader_views.profile_upload_photo),
     url(r'^api/profile$', reader_views.profile_api),
-    url(r'^settings/account/user$', reader_views.account_user_update),
-    url(r'^api/profile/(?P<slug>[^/]+)$', reader_views.profile_get_api),
+    url(r'^api/profile/(?P<slug>[^/]+)$', reader_views.profile_api),
     url(r'^api/profile/(?P<slug>[^/]+)/(?P<ftype>followers|following)$', reader_views.profile_follow_api),
     url(r'^api/user_history/saved$', reader_views.saved_history_for_ref),
 ]