summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDJ Mountney <david@twkie.net>2017-06-08 09:52:27 -0700
committerDJ Mountney <david@twkie.net>2017-06-08 09:52:27 -0700
commit982368dc55bbd22f82bf908f8af220056202a65a (patch)
tree8a9c2cc0776f641777ca8baf83f4748b1271fbdf
parent7113b1a45bd29318c3ec5ea5f61b1d523868ef4d (diff)
downloadgitlab-ce-982368dc55bbd22f82bf908f8af220056202a65a.tar.gz
Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
Allow users autocomplete by author_id only for authenticated users See merge request !2100
Diffstat
-rw-r--r--app/controllers/autocomplete_controller.rb2
-rw-r--r--spec/controllers/autocomplete_controller_spec.rb30
2 files changed, 21 insertions, 11 deletions
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 907717dcb96..fe331a883c1 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
@users = [current_user, *@users].uniq
end
- if params[:author_id].present?
+ if params[:author_id].present? && current_user
author = User.find_by_id(params[:author_id])
@users = [author, *@users].uniq if author
end
diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb
index 2c9d1ffc9c2..4c3a5ec49ef 100644
--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -170,22 +170,32 @@ describe AutocompleteController do
end
context 'author of issuable included' do
- before do
- sign_in(user)
- end
-
let(:body) { JSON.parse(response.body) }
- it 'includes the author' do
- get(:users, author_id: non_member.id)
+ context 'authenticated' do
+ before do
+ sign_in(user)
+ end
+
+ it 'includes the author' do
+ get(:users, author_id: non_member.id)
+
+ expect(body.first["username"]).to eq non_member.username
+ end
+
+ it 'rejects non existent user ids' do
+ get(:users, author_id: 99999)
- expect(body.first["username"]).to eq non_member.username
+ expect(body.collect { |u| u['id'] }).not_to include(99999)
+ end
end
- it 'rejects non existent user ids' do
- get(:users, author_id: 99999)
+ context 'without authenticating' do
+ it 'returns empty result' do
+ get(:users, author_id: non_member.id)
- expect(body.collect { |u| u['id'] }).not_to include(99999)
+ expect(body).to be_empty
+ end
end
end
View Lorry Controller Status