SECURITY: Update reviewable user serializer payload
Exclude email from reviewable user serializer based on user scope.
This commit is contained in:
parent
5b8cf11b69
commit
8d5b21170e
|
@ -16,4 +16,14 @@ class ReviewableUserSerializer < ReviewableSerializer
|
||||||
def include_user_fields?
|
def include_user_fields?
|
||||||
object.target.present? && object.target.user_fields.present?
|
object.target.present? && object.target.user_fields.present?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def attributes(*args)
|
||||||
|
data = super
|
||||||
|
data[:payload]&.delete("email") if !include_email?
|
||||||
|
data
|
||||||
|
end
|
||||||
|
|
||||||
|
def include_email?
|
||||||
|
scope.can_check_emails?(scope.user)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,12 +3,15 @@
|
||||||
RSpec.describe ReviewableUserSerializer do
|
RSpec.describe ReviewableUserSerializer do
|
||||||
let(:user) { Fabricate(:user) }
|
let(:user) { Fabricate(:user) }
|
||||||
let(:admin) { Fabricate(:admin) }
|
let(:admin) { Fabricate(:admin) }
|
||||||
|
let(:moderator) { Fabricate(:moderator) }
|
||||||
|
let(:reviewable) { Reviewable.find_by(target: user) }
|
||||||
|
|
||||||
it "includes the user fields for review" do
|
before do
|
||||||
SiteSetting.must_approve_users = true
|
SiteSetting.must_approve_users = true
|
||||||
Jobs::CreateUserReviewable.new.execute(user_id: user.id)
|
Jobs::CreateUserReviewable.new.execute(user_id: user.id)
|
||||||
reviewable = Reviewable.find_by(target: user)
|
end
|
||||||
|
|
||||||
|
it "includes the user fields for review" do
|
||||||
json = ReviewableUserSerializer.new(reviewable, scope: Guardian.new(admin), root: nil).as_json
|
json = ReviewableUserSerializer.new(reviewable, scope: Guardian.new(admin), root: nil).as_json
|
||||||
expect(json[:user_id]).to eq(reviewable.target_id)
|
expect(json[:user_id]).to eq(reviewable.target_id)
|
||||||
expect(json[:payload]["username"]).to eq(user.username)
|
expect(json[:payload]["username"]).to eq(user.username)
|
||||||
|
@ -16,4 +19,26 @@ RSpec.describe ReviewableUserSerializer do
|
||||||
expect(json[:payload]["name"]).to eq(user.name)
|
expect(json[:payload]["name"]).to eq(user.name)
|
||||||
expect(json[:topic_url]).to be_blank
|
expect(json[:topic_url]).to be_blank
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "excludes the email user field for moderators" do
|
||||||
|
json =
|
||||||
|
ReviewableUserSerializer.new(reviewable, scope: Guardian.new(moderator), root: nil).as_json
|
||||||
|
expect(json[:user_id]).to eq(reviewable.target_id)
|
||||||
|
expect(json[:payload]["username"]).to eq(user.username)
|
||||||
|
expect(json[:payload]["email"]).to eq(nil)
|
||||||
|
expect(json[:payload]["name"]).to eq(user.name)
|
||||||
|
expect(json[:topic_url]).to be_blank
|
||||||
|
end
|
||||||
|
|
||||||
|
it "includes the email user field for moderators if enabled" do
|
||||||
|
SiteSetting.moderators_view_emails = true
|
||||||
|
|
||||||
|
json =
|
||||||
|
ReviewableUserSerializer.new(reviewable, scope: Guardian.new(moderator), root: nil).as_json
|
||||||
|
expect(json[:user_id]).to eq(reviewable.target_id)
|
||||||
|
expect(json[:payload]["username"]).to eq(user.username)
|
||||||
|
expect(json[:payload]["email"]).to eq(user.email)
|
||||||
|
expect(json[:payload]["name"]).to eq(user.name)
|
||||||
|
expect(json[:topic_url]).to be_blank
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue