Allow zoo admins to view join token when querying user group (#4338)

* update user_group_serializer to include join_token for zooniverse admins for admin page * update current_user check zooniverse is admin
zooniverse · May 30, 2024 · c1516c0 · c1516c0
1 parent 095ae22
commit c1516c0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/app/serializers/user_group_serializer.rb b/app/serializers/user_group_serializer.rb
@@ -20,7 +20,7 @@ def type
 
   def include_join_token?
     return false unless current_user
-    @model.has_admin? current_user
+    current_user.is_admin? || @model.has_admin?(current_user)
   end
 
   def current_user

diff --git a/spec/serializers/user_group_serializer_spec.rb b/spec/serializers/user_group_serializer_spec.rb
@@ -1,18 +1,39 @@
-require "spec_helper"
+# frozen_string_literal: true
+
+require 'spec_helper'
 
 RSpec.describe UserGroupSerializer do
   let(:user_group) { create(:user_group) }
+  let(:user) { create(:user) }
 
   describe 'join token' do
     it 'is serialized when the current user is a group admin' do
-      user = create(:user)
-      create(:membership, user: user, user_group: user_group, roles: ["group_admin"])
+      create(:membership, user: user, user_group: user_group, roles: ['group_admin'])
 
       serialized = described_class.serialize(user_group, current_user: user)
       expect(serialized[:user_groups][0][:join_token]).to eq(user_group.join_token)
     end
 
-    it 'is not serialized otherwise' do
+    it 'is serialized when the current user is a zooniverse admin' do
+      admin_user = create(:user, admin: true)
+
+      serialized = described_class.serialize(user_group, current_user: admin_user)
+      expect(serialized[:user_groups][0][:join_token]).to eq(user_group.join_token)
+    end
+
+    it 'is not serialized when user is a group member' do
+      create(:membership, user: user, user_group: user_group, roles: ['group_member'])
+
+      serialized = described_class.serialize(user_group, current_user: user)
+      expect(serialized[:user_groups][0][:join_token]).to be_nil
+    end
+
+    it 'is not serialized for user not part of group' do
+      serialized = described_class.serialize(user_group, current_user: user)
+      expect(serialized[:user_groups][0][:join_token]).to be_nil
+    end
+
+    it 'is not serialized when there is no current_user' do
       serialized = described_class.serialize(user_group)
       expect(serialized[:user_groups][0][:join_token]).to be_nil
     end