From 901d6080df6a62c8fbb4da697a9150fdd93211da Mon Sep 17 00:00:00 2001 From: Arpit Jalan Date: Mon, 15 Feb 2021 16:12:06 +0530 Subject: [PATCH] FIX: do not show SSO last payload to moderators (#12084) --- .../single_sign_on_record_serializer.rb | 4 ++++ .../single_sign_on_record_serializer_spec.rb | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/app/serializers/single_sign_on_record_serializer.rb b/app/serializers/single_sign_on_record_serializer.rb index f9a9241e732..2480d640a46 100644 --- a/app/serializers/single_sign_on_record_serializer.rb +++ b/app/serializers/single_sign_on_record_serializer.rb @@ -7,4 +7,8 @@ class SingleSignOnRecordSerializer < ApplicationSerializer :external_name, :external_avatar_url, :external_profile_background_url, :external_card_background_url + + def include_last_payload? + scope.is_admin? + end end diff --git a/spec/serializers/single_sign_on_record_serializer_spec.rb b/spec/serializers/single_sign_on_record_serializer_spec.rb index fffb6dff6bf..0d2b50e0c8b 100644 --- a/spec/serializers/single_sign_on_record_serializer_spec.rb +++ b/spec/serializers/single_sign_on_record_serializer_spec.rb @@ -5,7 +5,7 @@ require 'rails_helper' RSpec.describe SingleSignOnRecordSerializer do fab!(:user) { Fabricate(:user) } let :sso do - SingleSignOnRecord.create!(user_id: user.id, external_id: '12345', external_email: user.email, last_payload: '') + SingleSignOnRecord.create!(user_id: user.id, external_id: '12345', external_email: user.email, last_payload: 'foobar') end context "admin" do @@ -21,4 +21,18 @@ RSpec.describe SingleSignOnRecordSerializer do expect(payload[:external_email]).to be_nil end end + + context "moderator" do + let(:moderator) { Fabricate(:moderator) } + let :serializer do + SingleSignOnRecordSerializer.new(sso, scope: Guardian.new(moderator), root: false) + end + + it "should not include user sso payload" do + payload = serializer.as_json + expect(payload[:user_id]).to eq(user.id) + expect(payload[:external_id]).to eq('12345') + expect(payload[:last_payload]).to be_nil + end + end end