From becc24a3b17c5ec47d4c8b6523070d8e422b783d Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Sat, 27 Jul 2024 17:26:48 +0200 Subject: [PATCH] Add spec to ensure Account Serializer doesn't expose the permissions associated with a role --- spec/serializers/rest/account_serializer_spec.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spec/serializers/rest/account_serializer_spec.rb b/spec/serializers/rest/account_serializer_spec.rb index 15939e484d8..a57b3105d95 100644 --- a/spec/serializers/rest/account_serializer_spec.rb +++ b/spec/serializers/rest/account_serializer_spec.rb @@ -25,6 +25,10 @@ describe REST::AccountSerializer do it 'returns the expected role' do expect(subject['roles'].first).to include({ 'name' => 'Role' }) end + + it 'does not expose the roles permissions' do + expect(subject['roles'].first).to_not include({ 'permissions' => role.computed_permissions.to_s }) + end end context 'when the account has a non-highlighted role' do