FIX: hides votes from regular users when poll is staff only (#11342)

2020-11-24 22:19:06 +01:00 · 2020-11-24 22:19:06 +01:00 · ad1a10e6e9
parent a6613d15f4
commit ad1a10e6e9
3 changed files with 70 additions and 2 deletions
--- a/plugins/poll/app/serializers/poll_option_serializer.rb
+++ b/plugins/poll/app/serializers/poll_option_serializer.rb
@ -1,7 +1,6 @@
 # frozen_string_literal: true

 class PollOptionSerializer < ApplicationSerializer
-
  attributes :id, :html, :votes

  def id
@ -13,4 +12,7 @@ class PollOptionSerializer < ApplicationSerializer
    object.poll_votes.size + object.anonymous_votes.to_i
  end

+  def include_votes?
+    scope[:can_see_results]
+  end
 end
--- a/plugins/poll/app/serializers/poll_serializer.rb
+++ b/plugins/poll/app/serializers/poll_serializer.rb
@ -42,7 +42,15 @@ class PollSerializer < ApplicationSerializer
  end

  def options
-    object.poll_options.map { |o| PollOptionSerializer.new(o, root: false).as_json }
+    can_see_results = object.can_see_results?(scope.user)
+
+    object.poll_options.map do |option|
+      PollOptionSerializer.new(
+        option,
+        root: false,
+        scope: { can_see_results: can_see_results }
+      ).as_json
+    end
  end

  def voters
--- a/plugins/poll/spec/serializers/poll_option_serializer_spec.rb
+++ b/plugins/poll/spec/serializers/poll_option_serializer_spec.rb
@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+def serialize_option(option, user)
+  PollOptionSerializer.new(
+    option,
+    root: false,
+    scope: { can_see_results: poll.can_see_results?(user) }
+  )
+end
+
+describe PollOptionSerializer do
+  let(:voter) { Fabricate(:user) }
+  let(:poll) { post.polls.first }
+
+  before do
+    poll.poll_votes.create!(poll_option_id: poll.poll_options.first.id, user_id: voter.id)
+  end
+
+  context 'poll results are public' do
+    let(:post) { Fabricate(:post, raw: "[poll]\n- A\n- B\n[/poll]") }
+
+    context 'user is not staff' do
+      let(:user) { Fabricate(:user) }
+
+      it 'include votes' do
+        serializer = serialize_option(poll.poll_options.first, user)
+
+        expect(serializer.include_votes?).to eq(true)
+      end
+    end
+  end
+
+  context 'poll results are staff only' do
+    let(:post) { Fabricate(:post, raw: "[poll results=staff_only]\n- A\n- B\n[/poll]") }
+
+    context 'user is not staff' do
+      let(:user) { Fabricate(:user) }
+
+      it 'doesn’t include votes' do
+        serializer = serialize_option(poll.poll_options.first, user)
+
+        expect(serializer.include_votes?).to eq(false)
+      end
+    end
+
+    context 'user staff' do
+      let(:admin) { Fabricate(:admin) }
+
+      it 'includes votes' do
+        serializer = serialize_option(poll.poll_options.first, admin)
+
+        expect(serializer.include_votes?).to eq(true)
+      end
+    end
+  end
+end