Don't show interview_notes to non-admins

api/app/serializers/new_club_application_serializer.rb

@@ -28,10 +28,17 @@ class NewClubApplicationSerializer < ActiveModel::Serializer
              :curious_what_convinced,
              :curious_how_did_hear,
              :point_of_contact_id,
-             :submitted_at
+             :submitted_at,
+             :interviewed_at,
+             :interview_duration
+
+  attribute :interview_notes, if: :admin?
 
   has_many :leader_profiles
 
+  # for admin? method
+  delegate :admin?, to: :current_user
+
   class LeaderProfileSerializer < ActiveModel::Serializer
     attributes :id, :completed_at
     has_one :user

api/spec/requests/v1/new_club_applications_spec.rb

@@ -131,6 +131,22 @@
           'email' => profile.user.email
         }
       )
+
+      # includes interviewed_at and interview_duration, but not interview_notes
+      expect(json).to include('interviewed_at')
+      expect(json).to include('interview_duration')
+      expect(json).to_not include('interview_notes')
+    end
+
+    it 'includes interview_notes when authed as an admin' do
+      user.make_admin!
+      user.save
+
+      get "/v1/new_club_applications/#{club_application.id}",
+          headers: auth_headers
+
+      expect(response.status).to eq(200)
+      expect(json).to include('interview_notes')
     end
 
     it '404s when application does not exist' do