diff options
author | Alexis Reigel <alexis.reigel.ext@siemens.com> | 2018-09-17 17:37:20 +0200 |
---|---|---|
committer | Alexis Reigel <alexis.reigel.ext@siemens.com> | 2019-03-14 18:21:02 +0100 |
commit | d7a3e54be4af3206681b3e81c746e3f7c31f52e5 (patch) | |
tree | 41429ad51670a1bc9501c080e45addbd7591f158 | |
parent | 0592233a1add02c02a706ae1aa2f66661155146a (diff) | |
download | gitlab-ce-d7a3e54be4af3206681b3e81c746e3f7c31f52e5.tar.gz |
only users from groups the current user has access
-rw-r--r-- | lib/gitlab/group_search_results.rb | 9 | ||||
-rw-r--r-- | spec/lib/gitlab/group_search_results_spec.rb | 10 |
2 files changed, 18 insertions, 1 deletions
diff --git a/lib/gitlab/group_search_results.rb b/lib/gitlab/group_search_results.rb index 0654d5e25b4..8223135dc07 100644 --- a/lib/gitlab/group_search_results.rb +++ b/lib/gitlab/group_search_results.rb @@ -10,7 +10,14 @@ module Gitlab # rubocop:disable CodeReuse/ActiveRecord def users - super.where(id: @group.users_with_descendants) + # 1: get all groups the current user has access to + groups = GroupsFinder.new(current_user).execute.joins(:users) + + # 2: get all users the current user has access to (-> `SearchResults#users`) + users = super + + # 3: filter for users that belong to the previously selected groups + users.where(id: groups.select('members.user_id')) end # rubocop:enable CodeReuse/ActiveRecord end diff --git a/spec/lib/gitlab/group_search_results_spec.rb b/spec/lib/gitlab/group_search_results_spec.rb index 22ea3ebb9a4..a9f94038524 100644 --- a/spec/lib/gitlab/group_search_results_spec.rb +++ b/spec/lib/gitlab/group_search_results_spec.rb @@ -27,5 +27,15 @@ describe Gitlab::GroupSearchResults do expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [user1] end + + it 'does not return the user belonging to the private subgroup', :nested_groups do + user1 = create(:user, username: 'gob_bluth') + subgroup = create(:group, :private, parent: group) + create(:group_member, :developer, user: user1, group: subgroup) + + create(:user, username: 'gob_2018') + + expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [] + end end end |