From 7828c1156c0e4e4d656b3457727ecf5df7a0ac45 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Fri, 7 Dec 2018 10:57:28 +0000
Subject: [PATCH] FIX: Do not serialize user fields unless they are specified
 for display (#6736)

---
 app/serializers/user_serializer.rb       |  3 ++-
 lib/guardian/user_guardian.rb            | 11 +++++++++++
 spec/serializers/user_serializer_spec.rb | 25 ++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb
index eedadd87bf..49015ce27a 100644
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@@ -419,7 +419,8 @@ class UserSerializer < BasicUserSerializer
   end
 
   def user_fields
-    object.user_fields
+    allowed_keys = scope.allowed_user_field_ids(object).map(&:to_s)
+    object.user_fields&.select { |k, v| allowed_keys.include?(k) }
   end
 
   def include_user_fields?
diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
index 0aef85c991..787615b42e 100644
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -76,4 +76,15 @@ module UserGuardian
     user && can_administer_user?(user)
   end
 
+  def allowed_user_field_ids(user)
+    @allowed_user_field_ids ||= {}
+    @allowed_user_field_ids[user.id] ||=
+      begin
+        if is_staff? || is_me?(user)
+          UserField.pluck(:id)
+        else
+          UserField.where("show_on_profile OR show_on_user_card").pluck(:id)
+        end
+      end
+  end
 end
diff --git a/spec/serializers/user_serializer_spec.rb b/spec/serializers/user_serializer_spec.rb
index a637d13137..99a4a9bf33 100644
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@@ -197,6 +197,31 @@ describe UserSerializer do
     end
   end
 
+  context "with user fields" do
+    let(:user) { Fabricate(:user) }
+
+    let! :fields do
+      [
+        Fabricate(:user_field),
+        Fabricate(:user_field),
+        Fabricate(:user_field, show_on_profile: true),
+        Fabricate(:user_field, show_on_user_card: true),
+        Fabricate(:user_field, show_on_user_card: true, show_on_profile: true)
+      ]
+    end
+
+    let(:other_user_json) { UserSerializer.new(user, scope: Guardian.new(Fabricate(:user)), root: false).as_json }
+    let(:self_json) { UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json }
+    let(:admin_json) { UserSerializer.new(user, scope: Guardian.new(Fabricate(:admin)), root: false).as_json }
+
+    it "includes the correct fields for each audience" do
+      expect(admin_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
+      expect(other_user_json[:user_fields].keys).to contain_exactly(*fields[2..5].map { |f| f.id.to_s })
+      expect(self_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
+    end
+
+  end
+
   context "with user_api_keys" do
     let(:user) { Fabricate(:user) }