FIX: secondary_emails, unconfirmed_emails, group_users are private fields
Those fields should be only visible to the user.
This commit is contained in:
parent
b9762afc10
commit
6258406419
|
@ -595,7 +595,7 @@ const User = RestModel.extend({
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isEmpty(json.user.groups)) {
|
if (!isEmpty(json.user.groups) && !isEmpty(json.user.group_users)) {
|
||||||
const groups = [];
|
const groups = [];
|
||||||
|
|
||||||
for (let i = 0; i < json.user.groups.length; i++) {
|
for (let i = 0; i < json.user.groups.length; i++) {
|
||||||
|
|
|
@ -80,6 +80,9 @@ class UserCardSerializer < BasicUserSerializer
|
||||||
(scope.is_staff? && object.staged?)
|
(scope.is_staff? && object.staged?)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
alias_method :include_secondary_emails?, :include_email?
|
||||||
|
alias_method :include_unconfirmed_emails?, :include_email?
|
||||||
|
|
||||||
def bio_excerpt
|
def bio_excerpt
|
||||||
object.user_profile.bio_excerpt(350, keep_newlines: true, keep_emoji_images: true)
|
object.user_profile.bio_excerpt(350, keep_newlines: true, keep_emoji_images: true)
|
||||||
end
|
end
|
||||||
|
|
|
@ -78,6 +78,10 @@ class UserSerializer < UserCardSerializer
|
||||||
object.group_users.order(:group_id)
|
object.group_users.order(:group_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def include_group_users?
|
||||||
|
(object.id && object.id == scope.user.try(:id)) || scope.is_staff?
|
||||||
|
end
|
||||||
|
|
||||||
def include_associated_accounts?
|
def include_associated_accounts?
|
||||||
(object.id && object.id == scope.user.try(:id))
|
(object.id && object.id == scope.user.try(:id))
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,40 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe UserCardSerializer do
|
||||||
|
context "with a TL0 user seen as anonymous" do
|
||||||
|
let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
|
||||||
|
let(:serializer) { described_class.new(user, scope: Guardian.new, root: false) }
|
||||||
|
let(:json) { serializer.as_json }
|
||||||
|
|
||||||
|
it "does not serialize emails" do
|
||||||
|
expect(json[:secondary_emails]).to be_nil
|
||||||
|
expect(json[:unconfirmed_emails]).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context "as current user" do
|
||||||
|
it "serializes emails correctly" do
|
||||||
|
user = Fabricate.build(:user,
|
||||||
|
id: 1,
|
||||||
|
user_profile: Fabricate.build(:user_profile),
|
||||||
|
user_option: UserOption.new(dynamic_favicon: true),
|
||||||
|
user_stat: UserStat.new
|
||||||
|
)
|
||||||
|
json = described_class.new(user, scope: Guardian.new(user), root: false).as_json
|
||||||
|
expect(json[:secondary_emails]).to eq([])
|
||||||
|
expect(json[:unconfirmed_emails]).to eq([])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context "as different user" do
|
||||||
|
let(:user) { Fabricate(:user, trust_level: 0) }
|
||||||
|
let(:user2) { Fabricate(:user, trust_level: 1) }
|
||||||
|
it "does not serialize emails" do
|
||||||
|
json = described_class.new(user, scope: Guardian.new(user2), root: false).as_json
|
||||||
|
expect(json[:secondary_emails]).to be_nil
|
||||||
|
expect(json[:unconfirmed_emails]).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -14,6 +14,10 @@ describe UserSerializer do
|
||||||
it "doesn't serialize untrusted attributes" do
|
it "doesn't serialize untrusted attributes" do
|
||||||
untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
|
untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't serialize group_users" do
|
||||||
|
expect(json[:group_users]).to be_nil
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "as current user" do
|
context "as current user" do
|
||||||
|
@ -24,6 +28,7 @@ describe UserSerializer do
|
||||||
SiteSetting.default_other_new_topic_duration_minutes = 60 * 24
|
SiteSetting.default_other_new_topic_duration_minutes = 60 * 24
|
||||||
|
|
||||||
user = Fabricate.build(:user,
|
user = Fabricate.build(:user,
|
||||||
|
id: 1,
|
||||||
user_profile: Fabricate.build(:user_profile),
|
user_profile: Fabricate.build(:user_profile),
|
||||||
user_option: UserOption.new(dynamic_favicon: true),
|
user_option: UserOption.new(dynamic_favicon: true),
|
||||||
user_stat: UserStat.new
|
user_stat: UserStat.new
|
||||||
|
@ -36,6 +41,7 @@ describe UserSerializer do
|
||||||
expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
|
expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
|
||||||
expect(json[:user_option][:notification_level_when_replying]).to eq(3)
|
expect(json[:user_option][:notification_level_when_replying]).to eq(3)
|
||||||
|
|
||||||
|
expect(json[:group_users]).to eq([])
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue