From f38d17c64f92d90702551d24c7884f60fb197e3e Mon Sep 17 00:00:00 2001
From: Nick Winter <livelily@gmail.com>
Date: Fri, 18 Apr 2014 12:48:13 -0700
Subject: [PATCH] Protected candidates from view by employers they work(ed) at.

---
 app/templates/account/profile.jade | 2 +-
 app/templates/base.jade            | 2 +-
 server/users/user_handler.coffee   | 8 +++++---
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/templates/account/profile.jade b/app/templates/account/profile.jade
index 2726f456a..fbd3e15f5 100644
--- a/app/templates/account/profile.jade
+++ b/app/templates/account/profile.jade
@@ -90,7 +90,7 @@ block content
             if user.get('jobProfileNotes') || me.isAdmin()
               h3.experience-header(data-i18n="account_profile.our_notes") Our Notes
               - var notes = user.get('jobProfileNotes') || '';
-              if !me.isAdmin()
+              if me.isAdmin()
                 textarea#job-profile-notes!= notes
               else
                 div!= marked(notes)
diff --git a/app/templates/base.jade b/app/templates/base.jade
index 6cb4a34f2..ebc6b5a97 100644
--- a/app/templates/base.jade
+++ b/app/templates/base.jade
@@ -58,7 +58,7 @@ body
     .footer.clearfix
       .content
         p.footer-link-text
-          if pathname == "/"
+          if pathname == "/" || (me.get('permissions') || []).indexOf('employer') != -1
             a(href='/employers', title='Home', tabindex=-1, data-i18n="nav.employers") Employers
           else
             a(href='/', title='Home', tabindex=-1, data-i18n="nav.home") Home
diff --git a/server/users/user_handler.coffee b/server/users/user_handler.coffee
index f13c11c8c..0073bf5ae 100644
--- a/server/users/user_handler.coffee
+++ b/server/users/user_handler.coffee
@@ -47,7 +47,7 @@ UserHandler = class UserHandler extends Handler
     delete obj[prop] for prop in serverProperties
     includePrivates = req.user and (req.user.isAdmin() or req.user._id.equals(document._id))
     delete obj[prop] for prop in privateProperties unless includePrivates
-    includeCandidate = includePrivates or (obj.jobProfileApproved and req.user and ('employer' in (req.user.permissions ? [])) and @employerCanViewCandidate req.user, obj)
+    includeCandidate = includePrivates or (obj.jobProfileApproved and req.user and ('employer' in (req.user.get('permissions') ? [])) and @employerCanViewCandidate req.user, obj)
     delete obj[prop] for prop in candidateProperties unless includeCandidate
     return obj
 
@@ -266,8 +266,8 @@ UserHandler = class UserHandler extends Handler
     selection += ' jobProfileApproved' if req.user.isAdmin()
     User.find(query).select(selection).exec (err, documents) =>
       return @sendDatabaseError(res, err) if err
-      candidates = (@formatCandidate(authorized, doc) for doc in documents)
-      candidates = (candidate for candidate in candidates when @employerCanViewCandidate req.user, candidate)
+      candidates = (candidate for candidate in documents when @employerCanViewCandidate req.user, candidate.toObject())
+      candidates = (@formatCandidate(authorized, candidate) for candidate in candidates)
       @sendSuccess(res, candidates)
 
   formatCandidate: (authorized, document) ->
@@ -285,6 +285,8 @@ UserHandler = class UserHandler extends Handler
     for job in candidate.jobProfile?.work ? []
       # TODO: be smarter about different ways to write same company names to ensure privacy.
       # We'll have to manually pay attention to how we set employer names for now.
+      if job.employer?.toLowerCase() is employer.get('employerAt')?.toLowerCase()
+        log.info "#{employer.get('name')} at #{employer.get('employerAt')} can't see #{candidate.jobProfile.name} because s/he worked there."
       return false if job.employer?.toLowerCase() is employer.get('employerAt')?.toLowerCase()
     true