From 414bf5d074b7ef4a47189cc314f627137e289ead Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Tue, 15 Feb 2022 12:41:35 +1100
Subject: [PATCH] Don't list guest customer records to guest users

---
 app/controllers/api/v1/customers_controller.rb |  2 +-
 spec/requests/api/v1/customers_spec.rb         | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/customers_controller.rb b/app/controllers/api/v1/customers_controller.rb
index 65783afc70..6c403ce2d4 100644
--- a/app/controllers/api/v1/customers_controller.rb
+++ b/app/controllers/api/v1/customers_controller.rb
@@ -64,7 +64,7 @@ module Api
       end
 
       def visible_customers
-        Customer.where(user_id: current_api_user.id).or(
+        current_api_user.customers.or(
           Customer.where(enterprise_id: editable_enterprises)
         )
       end
diff --git a/spec/requests/api/v1/customers_spec.rb b/spec/requests/api/v1/customers_spec.rb
index b84416cf04..59c4de7ec2 100644
--- a/spec/requests/api/v1/customers_spec.rb
+++ b/spec/requests/api/v1/customers_spec.rb
@@ -26,6 +26,22 @@ describe "Customers", type: :request do
     end
 
     describe "returning results based on permissions" do
+      context "as guest user" do
+        before { login_as nil }
+
+        it "returns no customers" do
+          get "/api/v1/customers"
+          expect(json_response_ids).to eq []
+        end
+
+        it "returns not even customers without user id" do
+          customer3.update!(user_id: nil)
+
+          get "/api/v1/customers"
+          expect(json_response_ids).to eq []
+        end
+      end
+
       context "as an enterprise owner" do
         before { login_as enterprise1.owner }