FIX: Don't include secret membership groups when serializing other users (#29799)

As part of a previous fix we changed which groups are serialized for a user, in order to fix a bug in the default group selector under user preferences.

However, we should only change this when serializing the current user. This change combines the old code-path and the new based on who is serializing.

app/serializers/user_serializer.rb

@@ -90,7 +90,11 @@ class UserSerializer < UserCardSerializer
   end
 
   def groups
-    object.groups.order(:id).visible_groups(scope.user)
+    if scope.user == object
+      object.groups.order(:id).visible_groups(scope.user)
+    else
+      object.groups.order(:id).visible_groups(scope.user).members_visible_groups(scope.user)
+    end
   end
 
   def group_users

spec/serializers/user_serializer_spec.rb

@@ -511,17 +511,29 @@ RSpec.describe UserSerializer do
         members_visibility_level: Group.visibility_levels[:owners],
       )
     end
-    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
+    let(:serializer) { UserSerializer.new(user, scope: guardian, root: false) }
 
     before do
       group.add(user)
       group.save!
     end
 
-    it "should show group even when members list is not visible" do
-      json = serializer.as_json
-      expect(json[:groups].length).to eq(1)
-      expect(json[:groups].first[:id]).to eq(group.id)
+    context "when serializing user's own groups" do
+      let(:guardian) { Guardian.new(user) }
+
+      it "includes secret membership group" do
+        json = serializer.as_json
+        expect(json[:groups].map { |g| g[:id] }).to include(group.id)
+      end
+    end
+
+    context "when serializing other users' groups" do
+      let(:guardian) { Guardian.new }
+
+      it "does not include secret membership group" do
+        json = serializer.as_json
+        expect(json[:groups]).to be_empty
+      end
     end
   end
 end