From c60e177c32ca31cb5cf57d814f2fc0060b5504ec Mon Sep 17 00:00:00 2001
From: Andrea Stagi <stagi.andrea@gmail.com>
Date: Mon, 14 Sep 2015 17:43:21 +0200
Subject: [PATCH] Show email field for the same user or superuser

---
 taiga/users/api.py              |  2 +-
 tests/integration/test_users.py | 48 ++++++++++++++++++++++++++++++---
 2 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/taiga/users/api.py b/taiga/users/api.py
index 508e707f..93f42fb1 100644
--- a/taiga/users/api.py
+++ b/taiga/users/api.py
@@ -58,7 +58,7 @@ class UsersViewSet(ModelCrudViewSet):
     def get_serializer_class(self):
         if self.action in ["partial_update", "update", "retrieve", "by_username"]:
             user = self.object
-            if self.request.user == user:
+            if self.request.user == user or self.request.user.is_superuser:
                 return self.admin_serializer_class
 
         return self.serializer_class
diff --git a/tests/integration/test_users.py b/tests/integration/test_users.py
index b658045f..8cb28a58 100644
--- a/tests/integration/test_users.py
+++ b/tests/integration/test_users.py
@@ -253,6 +253,45 @@ def test_list_contacts_public_projects(client):
     assert response_content[0]["id"] == user_2.id
 
 
+def test_mail_permissions(client):
+    user_1 = f.UserFactory.create(is_superuser=True)
+    user_2 = f.UserFactory.create()
+
+    url1 = reverse('users-detail', kwargs={"pk": user_1.pk})
+    url2 = reverse('users-detail', kwargs={"pk": user_2.pk})
+
+    # Anonymous user
+    response = client.json.get(url1)
+    assert response.status_code == 200
+    assert "email" not in response.data
+
+    response = client.json.get(url2)
+    assert response.status_code == 200
+    assert "email" not in response.data
+
+    # Superuser
+    client.login(user_1)
+
+    response = client.json.get(url1)
+    assert response.status_code == 200
+    assert "email" in response.data
+
+    response = client.json.get(url2)
+    assert response.status_code == 200
+    assert "email" in response.data
+
+    # Normal user
+    client.login(user_2)
+
+    response = client.json.get(url1)
+    assert response.status_code == 200
+    assert "email" not in response.data
+
+    response = client.json.get(url2)
+    assert response.status_code == 200
+    assert "email" in response.data
+
+
 def test_get_favourites_list():
     fav_user = f.UserFactory()
     viewer_user = f.UserFactory()
@@ -404,13 +443,16 @@ def test_get_favourites_list_permissions():
     f.VoteFactory(content_type=content_type, object_id=issue.id, user=fav_user)
     f.VotesFactory(content_type=content_type, object_id=issue.id, count=1)
 
-    #If the project is private a viewer user without any permission shouldn' see any vote
+    #If the project is private a viewer user without any permission shouldn' see
+    # any vote
     assert len(get_favourites_list(fav_user, viewer_unpriviliged_user)) == 0
 
-    #If the project is private but the viewer user has permissions the votes should be accesible
+    #If the project is private but the viewer user has permissions the votes should
+    # be accesible
     assert len(get_favourites_list(fav_user, viewer_priviliged_user)) == 4
 
-    #If the project is private but has the required anon permissions the votes should be accesible by any user too
+    #If the project is private but has the required anon permissions the votes should
+    # be accesible by any user too
     project.anon_permissions = ["view_project", "view_us", "view_tasks", "view_issues"]
     project.save()
     assert len(get_favourites_list(fav_user, viewer_unpriviliged_user)) == 4