diff options
author | Alexis Reigel <alexis.reigel.ext@siemens.com> | 2018-12-18 13:51:26 +0100 |
---|---|---|
committer | Alexis Reigel <alexis.reigel.ext@siemens.com> | 2019-03-14 18:21:03 +0100 |
commit | 4c684a8d5c5432a720577486451830f085994fd3 (patch) | |
tree | c408379de0a7871d6e85ea8d234dc147e45ffcf4 | |
parent | b4437cfaecfcd0f48079a2027920e828ea1c7e48 (diff) | |
download | gitlab-ce-4c684a8d5c5432a720577486451830f085994fd3.tar.gz |
check ability for user search results
-rw-r--r-- | lib/gitlab/search_results.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/search_results_spec.rb | 8 |
2 files changed, 10 insertions, 0 deletions
diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb index dd8854a89d4..301d5e326d9 100644 --- a/lib/gitlab/search_results.rb +++ b/lib/gitlab/search_results.rb @@ -138,6 +138,8 @@ module Gitlab # rubocop: enable CodeReuse/ActiveRecord def users + return User.none unless Ability.allowed?(current_user, :read_users_list) + UsersFinder.new(current_user, search: query).execute end diff --git a/spec/lib/gitlab/search_results_spec.rb b/spec/lib/gitlab/search_results_spec.rb index 1a42fd36de0..4b57eecff93 100644 --- a/spec/lib/gitlab/search_results_spec.rb +++ b/spec/lib/gitlab/search_results_spec.rb @@ -123,6 +123,14 @@ describe Gitlab::SearchResults do end describe '#users' do + it 'does not call the UsersFinder when the current_user is not allowed to read users list' do + allow(Ability).to receive(:allowed?).and_return(false) + + expect(UsersFinder).not_to receive(:new).with(user, search: 'foo').and_call_original + + results.objects('users') + end + it 'calls the UsersFinder' do expect(UsersFinder).to receive(:new).with(user, search: 'foo').and_call_original |