Correct policing of access to private user details

app/controllers/api/users_controller.rb

@@ -1,6 +1,7 @@
 module Api
   class UsersController < ApiController
     before_action :disable_terms_redirect, :only => [:details]
+    before_action :setup_user_auth, :only => [:show, :index]
     before_action :authorize, :only => [:details, :gpx_files]
 
     authorize_resource

app/views/api/users/_user.json.jbuilder

@@ -4,7 +4,7 @@ json.user do
   json.account_created user.creation_time.xmlschema
   json.description user.description if user.description
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     json.contributor_terms do
       json.agreed user.terms_agreed.present?
       json.pd user.consider_pd
@@ -45,7 +45,7 @@ json.user do
     end
   end
 
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     if user.home_lat && user.home_lon
       json.home do
         json.lat user.home_lat

app/views/api/users/_user.xml.builder

@@ -2,7 +2,7 @@ xml.tag! "user", :id => user.id,
                  :display_name => user.display_name,
                  :account_created => user.creation_time.xmlschema do
   xml.tag! "description", user.description if user.description
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     xml.tag! "contributor-terms", :agreed => user.terms_agreed.present?,
                                   :pd => user.consider_pd
   else
@@ -24,7 +24,7 @@ xml.tag! "user", :id => user.id,
                          :active => user.blocks_created.active.size
     end
   end
-  if current_user && current_user == user
+  if current_user && current_user == user && can?(:details, User)
     if user.home_lat && user.home_lon
       xml.tag! "home", :lat => user.home_lat,
                        :lon => user.home_lon,