diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-09 12:02:40 +0200 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-09 12:02:40 +0200 |
commit | 524f65152fde2591a52d4c58d14c643ce379ec5b (patch) | |
tree | d4ba7ddb7fbb96925fb746f61bf0e22e8b8697d8 | |
parent | da5073cc15935a953870d5932468c94f79d31a0b (diff) | |
download | gitlab-ce-524f65152fde2591a52d4c58d14c643ce379ec5b.tar.gz |
Only expand ancestors when searching
Not all_groups, since that would expose groups the user does not have
access to
-rw-r--r-- | app/controllers/concerns/group_tree.rb | 14 | ||||
-rw-r--r-- | spec/controllers/concerns/group_tree_spec.rb | 13 |
2 files changed, 19 insertions, 8 deletions
diff --git a/app/controllers/concerns/group_tree.rb b/app/controllers/concerns/group_tree.rb index e969087f0b5..f4e1ce31dde 100644 --- a/app/controllers/concerns/group_tree.rb +++ b/app/controllers/concerns/group_tree.rb @@ -1,12 +1,12 @@ module GroupTree def render_group_tree(groups) - if params[:filter].present? - @groups = Gitlab::GroupHierarchy.new(groups).all_groups - @groups = Gitlab::GroupHierarchy.new(@groups.search(params[:filter])).base_and_ancestors - else - # Only show root groups if no parent-id is given - @groups = groups.where(parent_id: params[:parent_id]) - end + @groups = if params[:filter].present? + Gitlab::GroupHierarchy.new(groups.search(params[:filter])) + .base_and_ancestors + else + # Only show root groups if no parent-id is given + groups.where(parent_id: params[:parent_id]) + end @groups = @groups.with_selects_for_list .sort(@sort = params[:sort]) .page(params[:page]) diff --git a/spec/controllers/concerns/group_tree_spec.rb b/spec/controllers/concerns/group_tree_spec.rb index 2fe041a5ecc..ba84fbf8564 100644 --- a/spec/controllers/concerns/group_tree_spec.rb +++ b/spec/controllers/concerns/group_tree_spec.rb @@ -9,7 +9,7 @@ describe GroupTree do include GroupTree # rubocop:disable RSpec/DescribedClass def index - render_group_tree Group.all + render_group_tree GroupsFinder.new(current_user).execute end end @@ -52,6 +52,17 @@ describe GroupTree do expect(assigns(:groups)).to contain_exactly(group, subgroup) end + + it 'does not include groups the user does not have access to' do + parent = create(:group, :private) + subgroup = create(:group, :private, parent: parent, name: 'filter') + subgroup.add_developer(user) + _other_subgroup = create(:group, :private, parent: parent, name: 'filte') + + get :index, filter: 'filt', format: :json + + expect(assigns(:groups)).to contain_exactly(parent, subgroup) + end end context 'json content' do |