SECURITY: Mod should not see group_users and second_factor_enabled.

Moderators should not be able to see `UserSerializer#group_users` and `UserSerializer#second_factor_enabled` of other users. Impact of leaking this is low because the information leaked is not exploitable.
2025-01-18 10:52:45 +08:00 · 2020-09-11 10:23:35 +08:00 · 2020-09-11 10:23:35 +08:00 · 245d29e5a3
commit 245d29e5a3
parent 468417a716
2 changed files with 20 additions and 7 deletions
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@ -83,7 +83,7 @@ class UserSerializer < UserCardSerializer
  end

  def include_group_users?
-    (object.id && object.id == scope.user.try(:id)) || scope.is_staff?
+    (object.id && object.id == scope.user.try(:id)) || scope.is_admin?
  end

  def include_associated_accounts?
@ -91,7 +91,7 @@ class UserSerializer < UserCardSerializer
  end

  def include_second_factor_enabled?
-    (object&.id == scope.user&.id) || scope.is_staff?
+    (object&.id == scope.user&.id) || scope.is_admin?
  end

  def second_factor_enabled
--- a/spec/serializers/user_serializer_spec.rb
+++ b/spec/serializers/user_serializer_spec.rb
@ -3,20 +3,33 @@
 require 'rails_helper'

 describe UserSerializer do
+  fab!(:user) { Fabricate(:user, trust_level: 0) }

  context "with a TL0 user seen as anonymous" do
-    let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
    let(:json) { serializer.as_json }
-
    let(:untrusted_attributes) { %i{bio_raw bio_cooked bio_excerpt location website website_name profile_background card_background} }

    it "doesn't serialize untrusted attributes" do
      untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
    end

-    it "doesn't serialize group_users" do
-      expect(json[:group_users]).to be_nil
+    it "serializes correctly" do
+      expect(json[:group_users]).to eq(nil)
+      expect(json[:second_factor_enabled]).to eq(nil)
+    end
+  end
+
+  context "as moderator" do
+    it "serializes correctly" do
+      json = UserSerializer.new(
+        user,
+        scope: Guardian.new(Fabricate(:moderator)),
+        root: false
+      ).as_json
+
+      expect(json[:group_users]).to eq(nil)
+      expect(json[:second_factor_enabled]).to eq(nil)
    end
  end

@ -41,8 +54,8 @@ describe UserSerializer do
      expect(json[:user_option][:new_topic_duration_minutes]).to eq(60 * 24)
      expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
      expect(json[:user_option][:notification_level_when_replying]).to eq(3)
-
      expect(json[:group_users]).to eq([])
+      expect(json[:second_factor_enabled]).to eq(false)
    end
  end