SECURITY: Update reviewable user serializer payload

Exclude email from reviewable user serializer based on user scope.
This commit is contained in:
Blake Erickson 2024-05-30 11:30:06 -06:00 committed by Nat
parent 5b8cf11b69
commit 8d5b21170e
No known key found for this signature in database
GPG Key ID: 4938B35D927EC773
2 changed files with 37 additions and 2 deletions

View File

@ -16,4 +16,14 @@ class ReviewableUserSerializer < ReviewableSerializer
def include_user_fields? def include_user_fields?
object.target.present? && object.target.user_fields.present? object.target.present? && object.target.user_fields.present?
end end
def attributes(*args)
data = super
data[:payload]&.delete("email") if !include_email?
data
end
def include_email?
scope.can_check_emails?(scope.user)
end
end end

View File

@ -3,12 +3,15 @@
RSpec.describe ReviewableUserSerializer do RSpec.describe ReviewableUserSerializer do
let(:user) { Fabricate(:user) } let(:user) { Fabricate(:user) }
let(:admin) { Fabricate(:admin) } let(:admin) { Fabricate(:admin) }
let(:moderator) { Fabricate(:moderator) }
let(:reviewable) { Reviewable.find_by(target: user) }
it "includes the user fields for review" do before do
SiteSetting.must_approve_users = true SiteSetting.must_approve_users = true
Jobs::CreateUserReviewable.new.execute(user_id: user.id) Jobs::CreateUserReviewable.new.execute(user_id: user.id)
reviewable = Reviewable.find_by(target: user) end
it "includes the user fields for review" do
json = ReviewableUserSerializer.new(reviewable, scope: Guardian.new(admin), root: nil).as_json json = ReviewableUserSerializer.new(reviewable, scope: Guardian.new(admin), root: nil).as_json
expect(json[:user_id]).to eq(reviewable.target_id) expect(json[:user_id]).to eq(reviewable.target_id)
expect(json[:payload]["username"]).to eq(user.username) expect(json[:payload]["username"]).to eq(user.username)
@ -16,4 +19,26 @@ RSpec.describe ReviewableUserSerializer do
expect(json[:payload]["name"]).to eq(user.name) expect(json[:payload]["name"]).to eq(user.name)
expect(json[:topic_url]).to be_blank expect(json[:topic_url]).to be_blank
end end
it "excludes the email user field for moderators" do
json =
ReviewableUserSerializer.new(reviewable, scope: Guardian.new(moderator), root: nil).as_json
expect(json[:user_id]).to eq(reviewable.target_id)
expect(json[:payload]["username"]).to eq(user.username)
expect(json[:payload]["email"]).to eq(nil)
expect(json[:payload]["name"]).to eq(user.name)
expect(json[:topic_url]).to be_blank
end
it "includes the email user field for moderators if enabled" do
SiteSetting.moderators_view_emails = true
json =
ReviewableUserSerializer.new(reviewable, scope: Guardian.new(moderator), root: nil).as_json
expect(json[:user_id]).to eq(reviewable.target_id)
expect(json[:payload]["username"]).to eq(user.username)
expect(json[:payload]["email"]).to eq(user.email)
expect(json[:payload]["name"]).to eq(user.name)
expect(json[:topic_url]).to be_blank
end
end end