Improving privacy on my app

Hi everyone,

I'm looking to get a helping hand with the following issue.

On my application, you can log in and view a friends profile. If you
are not friends with them, you see a page called 'stranger' which is a
scalled down profile page which is what ou would see until the
friendship is confirmed.

Below is my display action which shows what's happening:

the line 'if( @friendship or @user.id == @logged_in_user.id )' only
seems to allow me to view my own profile, whilst now restricting the
view of my friends to the limited view offered by the 'strangers'
page.

Does anyone know how to refine this so it allows me to:
- View my own profile
- View my friends profiles
- Keep displaying the 'stranger' page when a friendship does not yet
exist?

Hoping someone can shed some light on this. Looked on Google for some
time and have tried various variations of the above to get the right
result....

Many thanks in advance.

def display
    @hide_edit_links = true

    #define param - username in this case.
    username = params[:username]

    #Look for the user
    @user = User.find_by_username(username)
    @logged_in_user = User.find(session[:user_id]) #if
@user.logged_in?

  if @user
      @friendship = friends?( @logged_in_user, @user )

      @title = "Profile page of: #{username}"

      @info = @user.info ||= Info.new
      #@posts = Post.find_by_user_id( session[:user_id], :order =>
"created_at DESC")
      #@posts = Post.find_by_user_id( @user.id, :limit => 1, :order =>
"created_at desc")

      if( @friendship or @user.id == @logged_in_user.id )

        @posts = Post.find_by_user_id( @user.id, 1, :limit =>
1, :conditions => "active_post = 1", :order => "created_at desc")
        respond_to do |format|
          format.html
        end

      else
         render :action => "stranger"

      end
  else
      flash[:notice] = "No user #{username} found. Please try again!"
      redirect_to :action => "index"
    end
  end

Hi,
First i suggest you put logic code in model

First guess is the problem would be somewhere in your "friends?"
method since you can view your own profile but not anyone else's.