Dont expose user email via API

To prevent leaking of users info we reduce amount of user information
retrieved via API for normal users.

What user can get via API:

* if not admin: only id, state, name, username and avatar_url
* if admin: all user information
* about himself: all informaion

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index a6d300b099b..c4728431ec5 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -20,7 +20,7 @@ describe API::API, api: true  do
         get api("/users", user)
         response.status.should == 200
         json_response.should be_an Array
-        json_response.first['email'].should == user.email
+        json_response.first['username'].should == user.username
       end
     end
   end
@@ -29,7 +29,7 @@ describe API::API, api: true  do
     it "should return a user by id" do
       get api("/users/#{user.id}", user)
       response.status.should == 200
-      json_response['email'].should == user.email
+      json_response['username'].should == user.username
     end
 
     it "should return a 401 if unauthenticated" do