From 2e085915ccee7cab15c4f379055af7b9031a9453 Mon Sep 17 00:00:00 2001 From: Dan Ungureanu Date: Wed, 22 Sep 2021 16:01:25 +0300 Subject: [PATCH] FIX: `include_` serializer methods must end with ? (#14407) Otherwise, they are simply dead code and the attribute is visible by default. These bugs did not expose any sensitive information. --- app/serializers/category_serializer.rb | 2 +- app/serializers/group_user_serializer.rb | 2 +- app/serializers/invited_user_record_serializer.rb | 2 +- app/serializers/user_card_serializer.rb | 4 ---- .../api/schemas/json/category_create_response.json | 7 ------- .../api/schemas/json/category_update_response.json | 7 ------- 6 files changed, 3 insertions(+), 21 deletions(-) diff --git a/app/serializers/category_serializer.rb b/app/serializers/category_serializer.rb index 0efe3f5b5b6..28f88a0582e 100644 --- a/app/serializers/category_serializer.rb +++ b/app/serializers/category_serializer.rb @@ -75,7 +75,7 @@ class CategorySerializer < SiteCategorySerializer scope && scope.cannot_delete_category_reason(object) end - def include_cannot_delete_reason + def include_cannot_delete_reason? !include_can_delete? && scope && scope.can_edit?(object) end diff --git a/app/serializers/group_user_serializer.rb b/app/serializers/group_user_serializer.rb index aa191cf18d4..0c1d9a43951 100644 --- a/app/serializers/group_user_serializer.rb +++ b/app/serializers/group_user_serializer.rb @@ -10,7 +10,7 @@ class GroupUserSerializer < BasicUserSerializer :added_at, :timezone - def include_added_at + def include_added_at? object.respond_to? :added_at end diff --git a/app/serializers/invited_user_record_serializer.rb b/app/serializers/invited_user_record_serializer.rb index d98f475bf33..027e8f60da2 100644 --- a/app/serializers/invited_user_record_serializer.rb +++ b/app/serializers/invited_user_record_serializer.rb @@ -47,7 +47,7 @@ class InvitedUserRecordSerializer < BasicUserSerializer ((Time.now - object.created_at) / 60 / 60 / 24).ceil end - def include_days_since_created + def include_days_since_created? can_see_invite_details? end diff --git a/app/serializers/user_card_serializer.rb b/app/serializers/user_card_serializer.rb index 4ff67b99137..dd41c2c9b89 100644 --- a/app/serializers/user_card_serializer.rb +++ b/app/serializers/user_card_serializer.rb @@ -107,10 +107,6 @@ class UserCardSerializer < BasicUserSerializer uri.host.sub(/^www\./, '') + uri.path end - def include_website_name - website.present? - end - def ignored scope_ignored_user_ids = scope.user&.ignored_user_ids || [] scope_ignored_user_ids.include?(object.id) diff --git a/spec/requests/api/schemas/json/category_create_response.json b/spec/requests/api/schemas/json/category_create_response.json index 53823807ddf..47af86d8c81 100644 --- a/spec/requests/api/schemas/json/category_create_response.json +++ b/spec/requests/api/schemas/json/category_create_response.json @@ -215,12 +215,6 @@ "can_delete": { "type": "boolean" }, - "cannot_delete_reason": { - "type": [ - "string", - "null" - ] - }, "allow_badges": { "type": "boolean" }, @@ -287,7 +281,6 @@ "mailinglist_mirror", "all_topics_wiki", "can_delete", - "cannot_delete_reason", "allow_badges", "topic_featured_link_allowed", "search_priority", diff --git a/spec/requests/api/schemas/json/category_update_response.json b/spec/requests/api/schemas/json/category_update_response.json index f15c082677f..26d9aa86fb6 100644 --- a/spec/requests/api/schemas/json/category_update_response.json +++ b/spec/requests/api/schemas/json/category_update_response.json @@ -218,12 +218,6 @@ "can_delete": { "type": "boolean" }, - "cannot_delete_reason": { - "type": [ - "string", - "null" - ] - }, "allow_badges": { "type": "boolean" }, @@ -290,7 +284,6 @@ "mailinglist_mirror", "all_topics_wiki", "can_delete", - "cannot_delete_reason", "allow_badges", "topic_featured_link_allowed", "search_priority",