FIX: users can see the raw email source of their own posts

app/controllers/posts_controller.rb

@@ -31,8 +31,8 @@ class PostsController < ApplicationController
   end
 
   def raw_email
-    guardian.ensure_can_view_raw_email!
     post = Post.find(params[:id].to_i)
+    guardian.ensure_can_view_raw_email!(post)
     render json: {raw_email: post.raw_email}
   end
 

lib/guardian/post_guardian.rb

@@ -180,8 +180,8 @@ module PostGuardian
     is_staff?
   end
 
-  def can_view_raw_email?
+  def can_view_raw_email?(post)
-    is_staff?
+    post && (is_staff? || post.user_id == @user.id)
   end
 
   def can_unhide?(post)

spec/controllers/posts_controller_spec.rb

@@ -72,8 +72,8 @@ describe PostsController do
     include_examples "action requires login", :get, :raw_email, id: 2
 
     describe "when logged in" do
-      let(:user) {log_in}
+      let(:user) { log_in }
-      let(:post) {Fabricate(:post, user: user, raw_email: 'email_content')}
+      let(:post) { Fabricate(:post, user: user, raw_email: 'email_content') }
 
       it "raises an error if the user doesn't have permission to view raw email" do
         Guardian.any_instance.expects(:can_view_raw_email?).returns(false)
@@ -90,7 +90,6 @@ describe PostsController do
 
         response.should be_success
         json = ::JSON.parse(response.body)
-        json.should be_present
         json['raw_email'].should == 'email_content'
       end