From 235c6434c10d592fc9ed413c1f731c305241cc6d Mon Sep 17 00:00:00 2001
From: Ted Johansson <ted@discourse.org>
Date: Mon, 18 Nov 2024 19:25:42 +0800
Subject: [PATCH] FIX: Don't include secret membership groups when serializing
 other users (#29799)

As part of a previous fix we changed which groups are serialized for a user, in order to fix a bug in the default group selector under user preferences.

However, we should only change this when serializing the current user. This change combines the old code-path and the new based on who is serializing.
---
 app/serializers/user_serializer.rb       |  6 +++++-
 spec/serializers/user_serializer_spec.rb | 22 +++++++++++++++++-----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb
index d2c2d063bb5..4cc382b5993 100644
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@@ -90,7 +90,11 @@ class UserSerializer < UserCardSerializer
   end
 
   def groups
-    object.groups.order(:id).visible_groups(scope.user)
+    if scope.user == object
+      object.groups.order(:id).visible_groups(scope.user)
+    else
+      object.groups.order(:id).visible_groups(scope.user).members_visible_groups(scope.user)
+    end
   end
 
   def group_users
diff --git a/spec/serializers/user_serializer_spec.rb b/spec/serializers/user_serializer_spec.rb
index 0cb07c86757..9260e9396e1 100644
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@@ -511,17 +511,29 @@ RSpec.describe UserSerializer do
         members_visibility_level: Group.visibility_levels[:owners],
       )
     end
-    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
+    let(:serializer) { UserSerializer.new(user, scope: guardian, root: false) }
 
     before do
       group.add(user)
       group.save!
     end
 
-    it "should show group even when members list is not visible" do
-      json = serializer.as_json
-      expect(json[:groups].length).to eq(1)
-      expect(json[:groups].first[:id]).to eq(group.id)
+    context "when serializing user's own groups" do
+      let(:guardian) { Guardian.new(user) }
+
+      it "includes secret membership group" do
+        json = serializer.as_json
+        expect(json[:groups].map { |g| g[:id] }).to include(group.id)
+      end
+    end
+
+    context "when serializing other users' groups" do
+      let(:guardian) { Guardian.new }
+
+      it "does not include secret membership group" do
+        json = serializer.as_json
+        expect(json[:groups]).to be_empty
+      end
     end
   end
 end