From 90636c0ab5e876b7c2644739121d784da4907dc9 Mon Sep 17 00:00:00 2001
From: Braulio Bhavamitra <braulio@eita.org.br>
Date: Tue, 28 Jul 2015 12:45:54 -0300
Subject: [PATCH] metadata: do not expose metadata on private pages

---
 plugins/metadata/lib/metadata_plugin.rb                            | 1 +
 plugins/metadata/test/functional/content_viewer_controller_test.rb | 8 ++++++++
 2 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/plugins/metadata/lib/metadata_plugin.rb b/plugins/metadata/lib/metadata_plugin.rb
index 8d07c25..5a9e64b 100644
--- a/plugins/metadata/lib/metadata_plugin.rb
+++ b/plugins/metadata/lib/metadata_plugin.rb
@@ -53,6 +53,7 @@ class MetadataPlugin < Noosfero::Plugin
         when Proc then instance_exec(&variable)
         else instance_variable_get variable
         end
+      return if object.respond_to? :public? and not object.public?
       return unless specs = (object.class.metadata_specs rescue nil)
 
       r = []
diff --git a/plugins/metadata/test/functional/content_viewer_controller_test.rb b/plugins/metadata/test/functional/content_viewer_controller_test.rb
index ae01d05..0b48971 100644
--- a/plugins/metadata/test/functional/content_viewer_controller_test.rb
+++ b/plugins/metadata/test/functional/content_viewer_controller_test.rb
@@ -57,4 +57,12 @@ class ContentViewerControllerTest < ActionController::TestCase
     end
   end
 
+  should 'not expose metadata on private pages' do
+    profile.update_column :public_profile, false
+    a = TinyMceArticle.create(name: 'Article to be shared with images', body: 'This article should be shared with all social networks <img src="/images/x.png" />', profile: profile)
+
+    get :view_page, profile: profile.identifier, page: [ a.name.to_slug ]
+    assert_no_tag tag: 'meta', attributes: { property: 'og:image', content: /\/images\/x.png/  }
+  end
+
 end
--
libgit2 0.21.2