From a036ac7bdcaf05bb737cdf46ada91cd2f46ebfb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Wed, 12 Nov 2014 14:49:42 +0100
Subject: [PATCH] FIX: users can see the raw email source of their own posts

---
 app/controllers/posts_controller.rb       | 2 +-
 lib/guardian/post_guardian.rb             | 4 ++--
 spec/controllers/posts_controller_spec.rb | 5 ++---
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 5f87364db..a62d4c059 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -31,8 +31,8 @@ class PostsController < ApplicationController
   end
 
   def raw_email
-    guardian.ensure_can_view_raw_email!
     post = Post.find(params[:id].to_i)
+    guardian.ensure_can_view_raw_email!(post)
     render json: {raw_email: post.raw_email}
   end
 
diff --git a/lib/guardian/post_guardian.rb b/lib/guardian/post_guardian.rb
index 02e1e8827..114bb1412 100644
--- a/lib/guardian/post_guardian.rb
+++ b/lib/guardian/post_guardian.rb
@@ -180,8 +180,8 @@ module PostGuardian
     is_staff?
   end
 
-  def can_view_raw_email?
-    is_staff?
+  def can_view_raw_email?(post)
+    post && (is_staff? || post.user_id == @user.id)
   end
 
   def can_unhide?(post)
diff --git a/spec/controllers/posts_controller_spec.rb b/spec/controllers/posts_controller_spec.rb
index 5305ff49b..92a2ba3d8 100644
--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@@ -72,8 +72,8 @@ describe PostsController do
     include_examples "action requires login", :get, :raw_email, id: 2
 
     describe "when logged in" do
-      let(:user) {log_in}
-      let(:post) {Fabricate(:post, user: user, raw_email: 'email_content')}
+      let(:user) { log_in }
+      let(:post) { Fabricate(:post, user: user, raw_email: 'email_content') }
 
       it "raises an error if the user doesn't have permission to view raw email" do
         Guardian.any_instance.expects(:can_view_raw_email?).returns(false)
@@ -90,7 +90,6 @@ describe PostsController do
 
         response.should be_success
         json = ::JSON.parse(response.body)
-        json.should be_present
         json['raw_email'].should == 'email_content'
       end