typo in protect_recipients functionality, fixes #5278

also, we should exclude viewed_user_ids too, it's not displayed in the
ui but it's still a pointer to who else the message went to

Change-Id: I11b42b0aef17638d595ba7023a5f275811766ccc
Reviewed-on: https://gerrit.instructure.com/5045
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Tested-by: Hudson <hudson@instructure.com>

app/controllers/context_controller.rb

@@ -230,7 +230,7 @@ class ContextController < ApplicationController
         }
         if @asset.is_a?(ContextMessage) && @asset.protect_recipients && !@asset.cached_context_grants_right?(@current_user, session, :manage_students)
           json_params[:include] = [:attachments]
-          json_params[:exclude] = [:recipients]
+          json_params[:except] = [:recipients, :viewed_user_ids]
         end
         if @asset.is_a?(ContextMessage)
           @asset.root_context_message_id ||= @asset.id

spec/controllers/context_controller_spec.rb

@@ -71,6 +71,21 @@ describe ContextController do
       assigns[:entries].should_not be_nil
     end
   end
+
+  describe "GET 'inbox_item'" do
+    it "should exclude recipients if protect_recipients" do
+      course_with_student_logged_in(:active_all => true)
+      @student = @user
+      @teacher = @course.enroll_teacher(user(:active_all => true)).user
+      @cm = @course.context_messages.build(:subject => 'hai', :body => 'test', :user => @teacher, :protect_recipients => '1')
+      @cm.recipients = [@student.id]
+      @cm.save!
+      get 'inbox_item', :course_id => @course.id, :id => InboxItem.find_by_user_id(@student.id), :format => 'json'
+      json = JSON.parse(response.body)
+      json['context_message']['recipients'].should be_nil
+      json['context_message']['viewed_user_ids'].should be_nil
+    end
+  end
   
   describe "GET 'chat'" do
     it "should redirect if no chats enabled" do