FIX: secondary_emails, unconfirmed_emails, group_users are private fields

Those fields should be only visible to the user.
2025-02-25 18:55:32 -06:00 · 2020-06-16 10:43:06 +10:00
parent b9762afc10
commit 6258406419
5 changed files with 57 additions and 4 deletions
--- a/spec/serializers/user_card_serializer_spec.rb
+++ b/spec/serializers/user_card_serializer_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe UserCardSerializer do
+  context "with a TL0 user seen as anonymous" do
+    let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
+    let(:serializer) { described_class.new(user, scope: Guardian.new, root: false) }
+    let(:json) { serializer.as_json }
+
+    it "does not serialize emails" do
+      expect(json[:secondary_emails]).to be_nil
+      expect(json[:unconfirmed_emails]).to be_nil
+    end
+  end
+
+  context "as current user" do
+    it "serializes emails correctly" do
+      user = Fabricate.build(:user,
+                             id: 1,
+                             user_profile: Fabricate.build(:user_profile),
+                             user_option: UserOption.new(dynamic_favicon: true),
+                             user_stat: UserStat.new
+                            )
+      json = described_class.new(user, scope: Guardian.new(user), root: false).as_json
+      expect(json[:secondary_emails]).to eq([])
+      expect(json[:unconfirmed_emails]).to eq([])
+    end
+  end
+
+  context "as different user" do
+    let(:user) { Fabricate(:user, trust_level: 0) }
+    let(:user2) { Fabricate(:user, trust_level: 1) }
+    it "does not serialize emails" do
+      json = described_class.new(user, scope: Guardian.new(user2), root: false).as_json
+      expect(json[:secondary_emails]).to be_nil
+      expect(json[:unconfirmed_emails]).to be_nil
+    end
+  end
+end
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@@ -14,6 +14,10 @@ describe UserSerializer do
    it "doesn't serialize untrusted attributes" do
      untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
    end
+
+    it "doesn't serialize group_users" do
+      expect(json[:group_users]).to be_nil
+    end
  end

  context "as current user" do
@@ -24,9 +28,10 @@ describe UserSerializer do
      SiteSetting.default_other_new_topic_duration_minutes = 60 * 24

      user = Fabricate.build(:user,
-                              user_profile: Fabricate.build(:user_profile),
-                              user_option: UserOption.new(dynamic_favicon: true),
-                              user_stat: UserStat.new
+                             id: 1,
+                             user_profile: Fabricate.build(:user_profile),
+                             user_option: UserOption.new(dynamic_favicon: true),
+                             user_stat: UserStat.new
                            )

      json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
@@ -36,6 +41,7 @@ describe UserSerializer do
      expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
      expect(json[:user_option][:notification_level_when_replying]).to eq(3)

+      expect(json[:group_users]).to eq([])
    end
  end