From 62584064190c4e7e5543ef0d11ff070f5b8d488c Mon Sep 17 00:00:00 2001
From: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
Date: Tue, 16 Jun 2020 10:43:06 +1000
Subject: [PATCH] FIX: secondary_emails, unconfirmed_emails, group_users are
 private fields

Those fields should be only visible to the user.
---
 .../javascripts/discourse/app/models/user.js  |  2 +-
 app/serializers/user_card_serializer.rb       |  3 ++
 app/serializers/user_serializer.rb            |  4 ++
 spec/serializers/user_card_serializer_spec.rb | 40 +++++++++++++++++++
 spec/serializers/user_serializer_spec.rb      | 12 ++++--
 5 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 spec/serializers/user_card_serializer_spec.rb

diff --git a/app/assets/javascripts/discourse/app/models/user.js b/app/assets/javascripts/discourse/app/models/user.js
index 0f67d613b23..6d9bc1ade16 100644
--- a/app/assets/javascripts/discourse/app/models/user.js
+++ b/app/assets/javascripts/discourse/app/models/user.js
@@ -595,7 +595,7 @@ const User = RestModel.extend({
         );
       }
 
-      if (!isEmpty(json.user.groups)) {
+      if (!isEmpty(json.user.groups) && !isEmpty(json.user.group_users)) {
         const groups = [];
 
         for (let i = 0; i < json.user.groups.length; i++) {
diff --git a/app/serializers/user_card_serializer.rb b/app/serializers/user_card_serializer.rb
index e3ec9357fb1..ebc8ee2db68 100644
--- a/app/serializers/user_card_serializer.rb
+++ b/app/serializers/user_card_serializer.rb
@@ -80,6 +80,9 @@ class UserCardSerializer < BasicUserSerializer
       (scope.is_staff? && object.staged?)
   end
 
+  alias_method :include_secondary_emails?, :include_email?
+  alias_method :include_unconfirmed_emails?, :include_email?
+
   def bio_excerpt
     object.user_profile.bio_excerpt(350, keep_newlines: true, keep_emoji_images: true)
   end
diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb
index 352603d7559..9d9232af95d 100644
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@@ -78,6 +78,10 @@ class UserSerializer < UserCardSerializer
     object.group_users.order(:group_id)
   end
 
+  def include_group_users?
+    (object.id && object.id == scope.user.try(:id)) || scope.is_staff?
+  end
+
   def include_associated_accounts?
     (object.id && object.id == scope.user.try(:id))
   end
diff --git a/spec/serializers/user_card_serializer_spec.rb b/spec/serializers/user_card_serializer_spec.rb
new file mode 100644
index 00000000000..f6285f21500
--- /dev/null
+++ b/spec/serializers/user_card_serializer_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe UserCardSerializer do
+  context "with a TL0 user seen as anonymous" do
+    let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
+    let(:serializer) { described_class.new(user, scope: Guardian.new, root: false) }
+    let(:json) { serializer.as_json }
+
+    it "does not serialize emails" do
+      expect(json[:secondary_emails]).to be_nil
+      expect(json[:unconfirmed_emails]).to be_nil
+    end
+  end
+
+  context "as current user" do
+    it "serializes emails correctly" do
+      user = Fabricate.build(:user,
+                             id: 1,
+                             user_profile: Fabricate.build(:user_profile),
+                             user_option: UserOption.new(dynamic_favicon: true),
+                             user_stat: UserStat.new
+                            )
+      json = described_class.new(user, scope: Guardian.new(user), root: false).as_json
+      expect(json[:secondary_emails]).to eq([])
+      expect(json[:unconfirmed_emails]).to eq([])
+    end
+  end
+
+  context "as different user" do
+    let(:user) { Fabricate(:user, trust_level: 0) }
+    let(:user2) { Fabricate(:user, trust_level: 1) }
+    it "does not serialize emails" do
+      json = described_class.new(user, scope: Guardian.new(user2), root: false).as_json
+      expect(json[:secondary_emails]).to be_nil
+      expect(json[:unconfirmed_emails]).to be_nil
+    end
+  end
+end
diff --git a/spec/serializers/user_serializer_spec.rb b/spec/serializers/user_serializer_spec.rb
index 2086c351ba2..197adb9f9e7 100644
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@@ -14,6 +14,10 @@ describe UserSerializer do
     it "doesn't serialize untrusted attributes" do
       untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
     end
+
+    it "doesn't serialize group_users" do
+      expect(json[:group_users]).to be_nil
+    end
   end
 
   context "as current user" do
@@ -24,9 +28,10 @@ describe UserSerializer do
       SiteSetting.default_other_new_topic_duration_minutes = 60 * 24
 
       user = Fabricate.build(:user,
-                              user_profile: Fabricate.build(:user_profile),
-                              user_option: UserOption.new(dynamic_favicon: true),
-                              user_stat: UserStat.new
+                             id: 1,
+                             user_profile: Fabricate.build(:user_profile),
+                             user_option: UserOption.new(dynamic_favicon: true),
+                             user_stat: UserStat.new
                             )
 
       json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
@@ -36,6 +41,7 @@ describe UserSerializer do
       expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
       expect(json[:user_option][:notification_level_when_replying]).to eq(3)
 
+      expect(json[:group_users]).to eq([])
     end
   end