Don't list guest customer records to guest users

2026-03-01 02:03:22 +00:00 · 2022-02-15 12:41:35 +11:00
parent bd9bed7323
commit 414bf5d074
2 changed files with 17 additions and 1 deletions
--- a/app/controllers/api/v1/customers_controller.rb
+++ b/app/controllers/api/v1/customers_controller.rb
@@ -64,7 +64,7 @@ module Api
      end

      def visible_customers
-        Customer.where(user_id: current_api_user.id).or(
+        current_api_user.customers.or(
          Customer.where(enterprise_id: editable_enterprises)
        )
      end
--- a/spec/requests/api/v1/customers_spec.rb
+++ b/spec/requests/api/v1/customers_spec.rb
@@ -26,6 +26,22 @@ describe "Customers", type: :request do
    end

    describe "returning results based on permissions" do
+      context "as guest user" do
+        before { login_as nil }
+
+        it "returns no customers" do
+          get "/api/v1/customers"
+          expect(json_response_ids).to eq []
+        end
+
+        it "returns not even customers without user id" do
+          customer3.update!(user_id: nil)
+
+          get "/api/v1/customers"
+          expect(json_response_ids).to eq []
+        end
+      end
+
      context "as an enterprise owner" do
        before { login_as enterprise1.owner }