FIX: hide emails on admin user list for moderators (#6781)

2018-12-19 10:24:57 +01:00 · 2018-12-19 10:24:57 +01:00 · 0ce5f05b2a
parent 2fcbbead45
commit 0ce5f05b2a
4 changed files with 27 additions and 5 deletions
--- a/app/assets/javascripts/admin/controllers/admin-users-list-show.js.es6
+++ b/app/assets/javascripts/admin/controllers/admin-users-list-show.js.es6
@ -2,8 +2,9 @@ import debounce from "discourse/lib/debounce";
 import { i18n } from "discourse/lib/computed";
 import AdminUser from "admin/models/admin-user";
 import { observes } from "ember-addons/ember-computed-decorators";
+import CanCheckEmails from "discourse/mixins/can-check-emails";

-export default Ember.Controller.extend({
+export default Ember.Controller.extend(CanCheckEmails, {
  query: null,
  queryParams: ["order", "ascending"],
  order: null,
--- a/app/assets/javascripts/admin/templates/users-list-show.hbs
+++ b/app/assets/javascripts/admin/templates/users-list-show.hbs
@ -7,9 +7,9 @@

 <div class="admin-title">
  <h2>{{title}}</h2>
-  {{#unless showEmails}}
+  {{#if canCheckEmails}}
      <button {{action "showEmails"}} class="show-emails btn btn-default">{{i18n 'admin.users.show_emails'}}</button>
-  {{/unless}}
+  {{/if}}
 </div>
 <div class='username controls'>
  {{text-field value=listFilter placeholder=searchHint}}
--- a/app/serializers/admin_user_list_serializer.rb
+++ b/app/serializers/admin_user_list_serializer.rb
@ -38,8 +38,8 @@ class AdminUserListSerializer < BasicUserSerializer

  def include_email?
    # staff members can always see their email
-    (scope.is_staff? && object.id == scope.user.id) || scope.can_see_emails? ||
-      (scope.is_staff? && object.staged?)
+    (scope.is_staff? && (object.id == scope.user.id || object.staged?)) ||
+    (scope.is_admin? && scope.can_see_emails?)
  end

  alias_method :include_secondary_emails?, :include_email?
--- a/spec/serializers/admin_user_list_serializer_spec.rb
+++ b/spec/serializers/admin_user_list_serializer_spec.rb
@ -5,8 +5,10 @@ describe AdminUserListSerializer do

  context "emails" do
    let(:admin) { Fabricate(:user_single_email, admin: true, email: "admin@email.com") }
+    let(:moderator) { Fabricate(:user_single_email, moderator: true, email: "moderator@email.com") }
    let(:user) { Fabricate(:user_single_email, email: "user@email.com") }
    let(:guardian) { Guardian.new(admin) }
+    let(:mod_guardian) { Guardian.new(moderator) }

    let(:json) do
      AdminUserListSerializer.new(user,
@ -15,6 +17,13 @@ describe AdminUserListSerializer do
      ).as_json
    end

+    let(:mod_json) do
+      AdminUserListSerializer.new(user,
+        scope: mod_guardian,
+        root: false
+      ).as_json
+    end
+
    def fabricate_secondary_emails_for(u)
      ["first", "second"].each do |name|
        Fabricate(:secondary_email, user: u, email: "#{name}@email.com")
@ -57,6 +66,18 @@ describe AdminUserListSerializer do
      include_examples "not shown"
    end

+    context "when moderator makes a request with show_emails param set to true" do
+      before do
+        mod_guardian.can_see_emails = true
+        fabricate_secondary_emails_for(user)
+      end
+
+      it "doesn't contain emails" do
+        expect(mod_json[:email]).to eq(nil)
+        expect(mod_json[:secondary_emails]).to eq(nil)
+      end
+    end
+
    context "with a normal user after clicking 'show emails'" do
      before do
        guardian.can_see_emails = true