FIX: Do not serialize user fields unless they are specified for display (#6736)

2018-12-07 10:57:28 +00:00 · 2018-12-07 10:57:28 +00:00 · 7828c1156c
commit 7828c1156c
parent cffb3d7976
3 changed files with 38 additions and 1 deletions
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@ -419,7 +419,8 @@ class UserSerializer < BasicUserSerializer
  end

  def user_fields
-    object.user_fields
+    allowed_keys = scope.allowed_user_field_ids(object).map(&:to_s)
+    object.user_fields&.select { |k, v| allowed_keys.include?(k) }
  end

  def include_user_fields?
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@ -76,4 +76,15 @@ module UserGuardian
    user && can_administer_user?(user)
  end

+  def allowed_user_field_ids(user)
+    @allowed_user_field_ids ||= {}
+    @allowed_user_field_ids[user.id] ||=
+      begin
+        if is_staff? || is_me?(user)
+          UserField.pluck(:id)
+        else
+          UserField.where("show_on_profile OR show_on_user_card").pluck(:id)
+        end
+      end
+  end
 end
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@ -197,6 +197,31 @@ describe UserSerializer do
    end
  end

+  context "with user fields" do
+    let(:user) { Fabricate(:user) }
+
+    let! :fields do
+      [
+        Fabricate(:user_field),
+        Fabricate(:user_field),
+        Fabricate(:user_field, show_on_profile: true),
+        Fabricate(:user_field, show_on_user_card: true),
+        Fabricate(:user_field, show_on_user_card: true, show_on_profile: true)
+      ]
+    end
+
+    let(:other_user_json) { UserSerializer.new(user, scope: Guardian.new(Fabricate(:user)), root: false).as_json }
+    let(:self_json) { UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json }
+    let(:admin_json) { UserSerializer.new(user, scope: Guardian.new(Fabricate(:admin)), root: false).as_json }
+
+    it "includes the correct fields for each audience" do
+      expect(admin_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
+      expect(other_user_json[:user_fields].keys).to contain_exactly(*fields[2..5].map { |f| f.id.to_s })
+      expect(self_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
+    end
+
+  end
+
  context "with user_api_keys" do
    let(:user) { Fabricate(:user) }