Improving privacy on my app

Hi everyone,

I'm looking to get a helping hand with the following issue.

On my application, you can log in and view a friends profile. If you are not friends with them, you see a page called 'stranger' which is a scalled down profile page which is what ou would see until the friendship is confirmed.

Below is my display action which shows what's happening:

the line 'if( @friendship or @user.id == @logged_in_user.id )' only seems to allow me to view my own profile, whilst now restricting the view of my friends to the limited view offered by the 'strangers' page.

Does anyone know how to refine this so it allows me to: - View my own profile - View my friends profiles - Keep displaying the 'stranger' page when a friendship does not yet exist?

Hoping someone can shed some light on this. Looked on Google for some time and have tried various variations of the above to get the right result....

Many thanks in advance.

def display     @hide_edit_links = true

    #define param - username in this case.     username = params[:username]

    #Look for the user     @user = User.find_by_username(username)     @logged_in_user = User.find(session[:user_id]) #if @user.logged_in?

  if @user       @friendship = friends?( @logged_in_user, @user )

      @title = "Profile page of: #{username}"

      @info = @user.info ||= Info.new       #@posts = Post.find_by_user_id( session[:user_id], :order => "created_at DESC")       #@posts = Post.find_by_user_id( @user.id, :limit => 1, :order => "created_at desc")

      if( @friendship or @user.id == @logged_in_user.id )

        @posts = Post.find_by_user_id( @user.id, 1, :limit => 1, :conditions => "active_post = 1", :order => "created_at desc")         respond_to do |format|           format.html         end

      else          render :action => "stranger"

      end   else       flash[:notice] = "No user #{username} found. Please try again!"       redirect_to :action => "index"     end   end

Hi, First i suggest you put logic code in model

First guess is the problem would be somewhere in your "friends?" method since you can view your own profile but not anyone else's.