diff --git a/app/models/organization.rb b/app/models/organization.rb
index 2f9f4cc..da67e14 100644
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@@ -8,6 +8,13 @@ class Organization < Profile
     :display => %w[compact]
   }
 
+  scope :visible_for_person, lambda { |person|
+    joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'')
+    .where(
+      ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR 
+          (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id,  true, true]
+    ).uniq
+  }
 
   settings_items :closed, :type => :boolean, :default => false
   def closed?
diff --git a/app/models/person.rb b/app/models/person.rb
index ae1451e..650d63b 100644
--- a/app/models/person.rb
+++ b/app/models/person.rb
@@ -39,6 +39,14 @@ roles] }
     { :select => 'DISTINCT profiles.*', :conditions => ['"profiles"."id" NOT IN (SELECT DISTINCT profiles.id FROM "profiles" INNER JOIN "friendships" ON "friendships"."person_id" = "profiles"."id" WHERE "friendships"."friend_id" IN (%s))' % resources.map(&:id)] }
   }
 
+  scope :visible_for_person, lambda { |person|
+    joins('LEFT JOIN "friendships" ON "friendships"."friend_id" = "profiles"."id"')
+    .where(
+      ['( ( friendships.person_id = ? ) OR (profiles.public_profile = ?)) AND (profiles.visible = ?)', person.id,  true, true]
+    ).uniq
+  }
+
+
   def has_permission_with_admin?(permission, resource)
     return true if resource.blank? || resource.admins.include?(self)
     return true if resource.kind_of?(Profile) && resource.environment.admins.include?(self)
diff --git a/app/models/profile.rb b/app/models/profile.rb
index 6d07ae6..c6805c2 100644
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -145,14 +145,6 @@ class Profile < ActiveRecord::Base
   scope :public, :conditions => { :visible => true, :public_profile => true, :secret => false }
   scope :enabled, :conditions => { :enabled => true }
 
-  scope :visible_for_person, lambda { |person|
-    joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'')
-    .where(
-      ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR 
-          (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id,  true, true]
-    ).uniq
-  }
-
   # Subclasses must override this method
   scope :more_popular
 
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index d3da3a0..b5c55b2 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -31,7 +31,9 @@ module API
       expose :image, :using => Image
     end
 
-    class Person < Profile;end;
+    class Person < Profile
+      root 'people', 'person'
+    end
     class Enterprise < Profile
       root 'enterprises', 'enterprise'
     end
diff --git a/lib/api/v1/people.rb b/lib/api/v1/people.rb
index 988034f..669910d 100644
--- a/lib/api/v1/people.rb
+++ b/lib/api/v1/people.rb
@@ -17,12 +17,20 @@ module API
         #  GET /people?reference_id=10&limit=10&oldest
         get do
           people = select_filtered_collection_of(environment, 'people', params)
+          people = people.visible_for_person(current_person)
           present people, :with => Entities::Person
         end
 
         desc "Return the person information"
-        get '/:id' do
-          present environment.people.find(params[:id]), :with => Entities::Person
+        get ':id' do
+          person = environment.people.visible.find_by_id(params[:id])
+          present person, :with => Entities::Person
+        end
+
+        desc "Return the person friends"
+        get ':id/friends' do
+          friends = current_person.friends.visible
+          present friends, :with => Entities::Person
         end
 
       end
diff --git a/test/unit/api/people_test.rb b/test/unit/api/people_test.rb
index 9a684b0..53ab072 100644
--- a/test/unit/api/people_test.rb
+++ b/test/unit/api/people_test.rb
@@ -6,24 +6,97 @@ class PeopleTest < ActiveSupport::TestCase
     login_api
   end
 
-  should 'list persons' do
-    person1 = fast_create(Person)
+
+  should 'list all people' do
+    person1 = fast_create(Person, :public_profile => true)
     person2 = fast_create(Person)
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person2.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'not list invisible people' do
+    person1 = fast_create(Person)
+    fast_create(Person, :visible => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'not list private people without permission' do
+    person1 = fast_create(Person)
+    fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [person1.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'list private person for friends' do
+    p1 = fast_create(Person)
+    p2 = fast_create(Person, :public_profile => false)
+    person.add_friend(p2)
+    p2.add_friend(person)
 
     get "/api/v1/people?#{params.to_query}"
     json = JSON.parse(last_response.body)
+    assert_equivalent [p1.id, p2.id, person.id], json['people'].map {|c| c['id']}
+  end
+
+  should 'get person' do
+    person = fast_create(Person)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
 
-    assert_includes json.map {|c| c['id']}, person1.id
-    assert_includes json.map {|c| c['id']}, person2.id
+  should 'not get invisible person' do
+    person = fast_create(Person, :visible => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert json['person'].blank?
   end
 
-  should 'return one person by id' do
+  should 'not get private people without permission' do
     person = fast_create(Person)
+    fast_create(Person, :public_profile => false)
+
+    get "/api/v1/people/#{person.id}?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
+
+  should 'get private person for friends' do
+    person = fast_create(Person, :public_profile => false)
+    person.add_friend(person)
 
     get "/api/v1/people/#{person.id}?#{params.to_query}"
     json = JSON.parse(last_response.body)
+    assert_equal person.id, json['person']['id']
+  end
+
+  should 'list person friends' do
+    p = fast_create(Person)
+    fast_create(Person)
+    person.add_friend(p)
+
+    get "/api/v1/people/#{person.id}/friends?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [p.id], json['people'].map {|c| c['id']}
+  end
 
-    assert_equal person.id, json['id']
+  should 'not list person friends invisible' do
+    p1 = fast_create(Person)
+    p2 = fast_create(Person, :visible => false)
+    person.add_friend(p1)
+    person.add_friend(p2)
+
+    get "/api/v1/people/#{person.id}/friends?#{params.to_query}"
+    json = JSON.parse(last_response.body)
+    assert_equivalent [p1.id], json['people'].map {|c| c['id']}
   end
 
 end
--
libgit2 0.21.2