Add test for cache pollution bug

Author: DavidMikeSimon

test/controllers/controller_test.rb

@@ -3667,6 +3667,23 @@ def test_show_author_recursive
   end
 end
 
+class Api::V2::AuthorsControllerTest < ActionController::TestCase
+  def test_cache_pollution_for_non_admin_indirect_access_to_banned_books
+    cache = ActiveSupport::Cache::MemoryStore.new
+    with_resource_caching(cache) do
+      $test_user = Person.find(5)
+      get :show, params: {id: '2', include: 'books'}
+      assert_response :success
+      assert_equal 2, json_response['included'].length
+
+      $test_user = Person.find(1)
+      get :show, params: {id: '2', include: 'books'}
+      assert_response :success
+      assert_equal 1, json_response['included'].length
+    end
+  end
+end
+
 class Api::BoxesControllerTest < ActionController::TestCase
   def test_complex_includes_base
     assert_cacheable_get :index

test/fixtures/active_record.rb

@@ -798,6 +798,9 @@ class LikesController < JSONAPI::ResourceController
 
   module V2
     class AuthorsController < JSONAPI::ResourceController
+      def context
+        {current_user: $test_user}
+      end
     end
 
     class PeopleController < JSONAPI::ResourceController
@@ -1448,6 +1451,24 @@ class PreferencesResource < PreferencesResource; end
     class PersonResource < PersonResource; end
     class PostResource < PostResource; end
 
+    class AuthorResource < JSONAPI::Resource
+      model_name 'Person'
+      attributes :name
+
+      has_many :books, inverse_relationship: :authors
+
+      def records_for(rel_name)
+        records = _model.public_send(rel_name)
+        if rel_name == :books
+          # Hide indirect access to banned books unless current user is a book admin
+          unless context[:current_user].try(:book_admin)
+            records = records.where(banned: false)
+          end
+        end
+        return records
+      end
+    end
+
     class BookResource < JSONAPI::Resource
       attribute :title
       attributes :isbn, :banned
@@ -1483,7 +1504,7 @@ def records(options = {})
           context = options[:context]
           current_user = context ? context[:current_user] : nil
 
-          records = _model_class
+          records = _model_class.all
           # Hide the banned books from people who are not book admins
           unless current_user && current_user.book_admin
             records = records.where(not_banned_books)

test/fixtures/book_authors.yml

@@ -9,3 +9,7 @@ book_author_2_1:
 book_author_2_2:
   book_id: 2
   person_id: 2
+
+book_author_654_2:
+  book_id: 654 # Banned book
+  person_id: 2

test/test_helper.rb

@@ -289,6 +289,7 @@ class CatResource < JSONAPI::Resource
 
       jsonapi_resource :preferences, except: [:create, :destroy]
 
+      jsonapi_resources :authors
       jsonapi_resources :books
       jsonapi_resources :book_comments
     end