Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: secondary_emails, unconfirmed_emails, group_users are private fields 

Those fields should be only visible to the user.
This commit is contained in:
Krzysztof Kotlarek 2020-06-16 10:43:06 +10:00 committed by Dan Ungureanu
parent b9762afc10
commit 6258406419
No known key found for this signature in database
GPG Key ID: 0AA2A00D6ACC8B84
5 changed files with 57 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/app/models/user.js
View File

@ -595,7 +595,7 @@ const User = RestModel.extend({
);
}
if (!isEmpty(json.user.groups)) {
if (!isEmpty(json.user.groups) && !isEmpty(json.user.group_users)) {
const groups = [];
for (let i = 0; i < json.user.groups.length; i++) {

3
app/serializers/user_card_serializer.rb
View File

@ -80,6 +80,9 @@ class UserCardSerializer < BasicUserSerializer
(scope.is_staff? && object.staged?)
end
alias_method :include_secondary_emails?, :include_email?
alias_method :include_unconfirmed_emails?, :include_email?
def bio_excerpt
object.user_profile.bio_excerpt(350, keep_newlines: true, keep_emoji_images: true)
end

4
app/serializers/user_serializer.rb
View File

@ -78,6 +78,10 @@ class UserSerializer < UserCardSerializer
object.group_users.order(:group_id)
end
def include_group_users?
(object.id && object.id == scope.user.try(:id)) || scope.is_staff?
end
def include_associated_accounts?
(object.id && object.id == scope.user.try(:id))
end

40
spec/serializers/user_card_serializer_spec.rb Normal file
View File

@ -0,0 +1,40 @@
# frozen_string_literal: true
require 'rails_helper'
describe UserCardSerializer do
context "with a TL0 user seen as anonymous" do
let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
let(:serializer) { described_class.new(user, scope: Guardian.new, root: false) }
let(:json) { serializer.as_json }
it "does not serialize emails" do
expect(json[:secondary_emails]).to be_nil
expect(json[:unconfirmed_emails]).to be_nil
end
end
context "as current user" do
it "serializes emails correctly" do
user = Fabricate.build(:user,
id: 1,
user_profile: Fabricate.build(:user_profile),
user_option: UserOption.new(dynamic_favicon: true),
user_stat: UserStat.new
)
json = described_class.new(user, scope: Guardian.new(user), root: false).as_json
expect(json[:secondary_emails]).to eq([])
expect(json[:unconfirmed_emails]).to eq([])
end
end
context "as different user" do
let(:user) { Fabricate(:user, trust_level: 0) }
let(:user2) { Fabricate(:user, trust_level: 1) }
it "does not serialize emails" do
json = described_class.new(user, scope: Guardian.new(user2), root: false).as_json
expect(json[:secondary_emails]).to be_nil
expect(json[:unconfirmed_emails]).to be_nil
end
end
end

12
spec/serializers/user_serializer_spec.rb
View File

@ -14,6 +14,10 @@ describe UserSerializer do
it "doesn't serialize untrusted attributes" do
untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
end
it "doesn't serialize group_users" do
expect(json[:group_users]).to be_nil
end
end
context "as current user" do
@ -24,9 +28,10 @@ describe UserSerializer do
SiteSetting.default_other_new_topic_duration_minutes = 60 * 24
user = Fabricate.build(:user,
user_profile: Fabricate.build(:user_profile),
user_option: UserOption.new(dynamic_favicon: true),
user_stat: UserStat.new
id: 1,
user_profile: Fabricate.build(:user_profile),
user_option: UserOption.new(dynamic_favicon: true),
user_stat: UserStat.new
)
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
@ -36,6 +41,7 @@ describe UserSerializer do
expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
expect(json[:user_option][:notification_level_when_replying]).to eq(3)
expect(json[:group_users]).to eq([])
end
end