From ad1a10e6e9690cdd44557504bcd7db5d3524f162 Mon Sep 17 00:00:00 2001 From: Joffrey JAFFEUX Date: Tue, 24 Nov 2020 22:19:06 +0100 Subject: [PATCH] FIX: hides votes from regular users when poll is staff only (#11342) --- .../app/serializers/poll_option_serializer.rb | 4 +- .../poll/app/serializers/poll_serializer.rb | 10 +++- .../poll_option_serializer_spec.rb | 58 +++++++++++++++++++ 3 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 plugins/poll/spec/serializers/poll_option_serializer_spec.rb diff --git a/plugins/poll/app/serializers/poll_option_serializer.rb b/plugins/poll/app/serializers/poll_option_serializer.rb index 9f151a7b342..16b869c8ee6 100644 --- a/plugins/poll/app/serializers/poll_option_serializer.rb +++ b/plugins/poll/app/serializers/poll_option_serializer.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true class PollOptionSerializer < ApplicationSerializer - attributes :id, :html, :votes def id @@ -13,4 +12,7 @@ class PollOptionSerializer < ApplicationSerializer object.poll_votes.size + object.anonymous_votes.to_i end + def include_votes? + scope[:can_see_results] + end end diff --git a/plugins/poll/app/serializers/poll_serializer.rb b/plugins/poll/app/serializers/poll_serializer.rb index 6444349bace..0a7a1c8b89c 100644 --- a/plugins/poll/app/serializers/poll_serializer.rb +++ b/plugins/poll/app/serializers/poll_serializer.rb @@ -42,7 +42,15 @@ class PollSerializer < ApplicationSerializer end def options - object.poll_options.map { |o| PollOptionSerializer.new(o, root: false).as_json } + can_see_results = object.can_see_results?(scope.user) + + object.poll_options.map do |option| + PollOptionSerializer.new( + option, + root: false, + scope: { can_see_results: can_see_results } + ).as_json + end end def voters diff --git a/plugins/poll/spec/serializers/poll_option_serializer_spec.rb b/plugins/poll/spec/serializers/poll_option_serializer_spec.rb new file mode 100644 index 00000000000..62fd3742dcd --- /dev/null +++ b/plugins/poll/spec/serializers/poll_option_serializer_spec.rb @@ -0,0 +1,58 @@ +# frozen_string_literal: true + +require 'rails_helper' + +def serialize_option(option, user) + PollOptionSerializer.new( + option, + root: false, + scope: { can_see_results: poll.can_see_results?(user) } + ) +end + +describe PollOptionSerializer do + let(:voter) { Fabricate(:user) } + let(:poll) { post.polls.first } + + before do + poll.poll_votes.create!(poll_option_id: poll.poll_options.first.id, user_id: voter.id) + end + + context 'poll results are public' do + let(:post) { Fabricate(:post, raw: "[poll]\n- A\n- B\n[/poll]") } + + context 'user is not staff' do + let(:user) { Fabricate(:user) } + + it 'include votes' do + serializer = serialize_option(poll.poll_options.first, user) + + expect(serializer.include_votes?).to eq(true) + end + end + end + + context 'poll results are staff only' do + let(:post) { Fabricate(:post, raw: "[poll results=staff_only]\n- A\n- B\n[/poll]") } + + context 'user is not staff' do + let(:user) { Fabricate(:user) } + + it 'doesn’t include votes' do + serializer = serialize_option(poll.poll_options.first, user) + + expect(serializer.include_votes?).to eq(false) + end + end + + context 'user staff' do + let(:admin) { Fabricate(:admin) } + + it 'includes votes' do + serializer = serialize_option(poll.poll_options.first, admin) + + expect(serializer.include_votes?).to eq(true) + end + end + end +end