FEATURE: restrict some user fields for TL0 users when viewed by anonymous users

2024-11-22 17:06:31 -06:00 · 2014-11-26 19:20:03 +01:00 · 2014-11-26 19:20:03 +01:00 · 27d78332c4
commit 27d78332c4
parent cb124d5836
2 changed files with 31 additions and 21 deletions
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@ -18,6 +18,17 @@ class UserSerializer < BasicUserSerializer
    end
  end

+  # attributes that are hidden for TL0 users when seen by anonymous
+  def self.untrusted_attributes(*attrs)
+    attrs.each do |attr|
+      method_name = "include_#{attr}?"
+      define_method(method_name) do
+        return false if object.trust_level == TrustLevel[0] && scope.anonymous?
+        send(attr).present?
+      end
+    end
+  end
+
  attributes :name,
             :email,
             :last_posted_at,
@ -87,6 +98,14 @@ class UserSerializer < BasicUserSerializer
                     :card_image_badge,
                     :card_image_badge_id

+  untrusted_attributes :bio_raw,
+                       :bio_cooked,
+                       :bio_excerpt,
+                       :location,
+                       :website,
+                       :profile_background,
+                       :card_background
+
  ###
  ### ATTRIBUTES
  ###
@ -99,15 +118,10 @@ class UserSerializer < BasicUserSerializer
    object.user_profile.card_image_badge
  end

-
  def bio_raw
    object.user_profile.bio_raw
  end

-  def include_bio_raw?
-    bio_raw.present?
-  end
-
  def bio_cooked
    object.user_profile.bio_processed
  end
@ -116,10 +130,6 @@ class UserSerializer < BasicUserSerializer
    object.user_profile.website
  end

-  def include_website?
-    website.present?
-  end
-
  def card_image_badge_id
    object.user_profile.card_image_badge.try(:id)
  end
@ -140,26 +150,14 @@ class UserSerializer < BasicUserSerializer
    object.user_profile.profile_background
  end

-  def include_profile_background?
-    profile_background.present?
-  end
-
  def card_background
    object.user_profile.card_background
  end

-  def include_card_background?
-    card_background.present?
-  end
-
  def location
    object.user_profile.location
  end

-  def include_location?
-    location.present?
-  end
-
  def can_edit
    scope.can_edit?(object)
  end
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@ -3,6 +3,18 @@ require_dependency 'user'

 describe UserSerializer do

+  context "with a TL0 user seen as anonymous" do
+    let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
+    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
+    let(:json) { serializer.as_json }
+
+    let(:untrusted_attributes) { %i{bio_raw bio_cooked bio_excerpt location website profile_background card_background} }
+
+    it "doesn't serialize untrusted attributes" do
+      untrusted_attributes.each { |attr| json.should_not have_key(attr) }
+    end
+  end
+
  context "with a user" do
    let(:user) { Fabricate.build(:user, user_profile: Fabricate.build(:user_profile) ) }
    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }