FEATURE: restrict some user fields for TL0 users when viewed by anonymous users

app/serializers/user_serializer.rb

@@ -18,6 +18,17 @@ class UserSerializer < BasicUserSerializer
     end
   end
 
+  # attributes that are hidden for TL0 users when seen by anonymous
+  def self.untrusted_attributes(*attrs)
+    attrs.each do |attr|
+      method_name = "include_#{attr}?"
+      define_method(method_name) do
+        return false if object.trust_level == TrustLevel[0] && scope.anonymous?
+        send(attr).present?
+      end
+    end
+  end
+
   attributes :name,
              :email,
              :last_posted_at,
@@ -87,6 +98,14 @@ class UserSerializer < BasicUserSerializer
                      :card_image_badge,
                      :card_image_badge_id
 
+  untrusted_attributes :bio_raw,
+                       :bio_cooked,
+                       :bio_excerpt,
+                       :location,
+                       :website,
+                       :profile_background,
+                       :card_background
+
   ###
   ### ATTRIBUTES
   ###
@@ -99,15 +118,10 @@ class UserSerializer < BasicUserSerializer
     object.user_profile.card_image_badge
   end
 
-
   def bio_raw
     object.user_profile.bio_raw
   end
 
-  def include_bio_raw?
-    bio_raw.present?
-  end
-
   def bio_cooked
     object.user_profile.bio_processed
   end
@@ -116,10 +130,6 @@ class UserSerializer < BasicUserSerializer
     object.user_profile.website
   end
 
-  def include_website?
-    website.present?
-  end
-
   def card_image_badge_id
     object.user_profile.card_image_badge.try(:id)
   end
@@ -140,26 +150,14 @@ class UserSerializer < BasicUserSerializer
     object.user_profile.profile_background
   end
 
-  def include_profile_background?
-    profile_background.present?
-  end
-
   def card_background
     object.user_profile.card_background
   end
 
-  def include_card_background?
-    card_background.present?
-  end
-
   def location
     object.user_profile.location
   end
 
-  def include_location?
-    location.present?
-  end
-
   def can_edit
     scope.can_edit?(object)
   end

spec/serializers/user_serializer_spec.rb

@@ -3,6 +3,18 @@ require_dependency 'user'
 
 describe UserSerializer do
 
+  context "with a TL0 user seen as anonymous" do
+    let(:user) { Fabricate.build(:user, trust_level: 0, user_profile: Fabricate.build(:user_profile)) }
+    let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
+    let(:json) { serializer.as_json }
+
+    let(:untrusted_attributes) { %i{bio_raw bio_cooked bio_excerpt location website profile_background card_background} }
+
+    it "doesn't serialize untrusted attributes" do
+      untrusted_attributes.each { |attr| json.should_not have_key(attr) }
+    end
+  end
+
   context "with a user" do
     let(:user) { Fabricate.build(:user, user_profile: Fabricate.build(:user_profile) ) }
     let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }