summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-02-03 11:28:54 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-02-03 11:28:54 +0000
commit41fd6d4d38aaef723e501ff3ab38ae63e31d4efb (patch)
tree65f9e06d467a90b39cfc7ea6debc3864d219f7cb /app
parentabbf44bd6cfb29413b3cf5768b691e5b222b89ea (diff)
downloadgitlab-ce-41fd6d4d38aaef723e501ff3ab38ae63e31d4efb.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/finders/users_finder.rb2
-rw-r--r--app/models/user.rb19
2 files changed, 18 insertions, 3 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb
index 8054ecbd502..2b4ce615090 100644
--- a/app/finders/users_finder.rb
+++ b/app/finders/users_finder.rb
@@ -74,7 +74,7 @@ class UsersFinder
def by_search(users)
return users unless params[:search].present?
- users.search(params[:search])
+ users.search(params[:search], with_private_emails: current_user&.admin?)
end
def by_blocked(users)
diff --git a/app/models/user.rb b/app/models/user.rb
index a587723053f..1d452fc2e50 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -648,6 +648,7 @@ class User < ApplicationRecord
# This method uses ILIKE on PostgreSQL.
#
# query - The search query as a String
+ # with_private_emails - include private emails in search
#
# Returns an ActiveRecord::Relation.
def search(query, **options)
@@ -660,14 +661,16 @@ class User < ApplicationRecord
CASE
WHEN users.name = :query THEN 0
WHEN users.username = :query THEN 1
- WHEN users.email = :query THEN 2
+ WHEN users.public_email = :query THEN 2
ELSE 3
END
SQL
sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query]))
- search_with_secondary_emails(query).reorder(sanitized_order_sql, :name)
+ scope = options[:with_private_emails] ? search_with_secondary_emails(query) : search_with_public_emails(query)
+
+ scope.reorder(sanitized_order_sql, :name)
end
# Limits the result set to users _not_ in the given query/list of IDs.
@@ -682,6 +685,18 @@ class User < ApplicationRecord
reorder(:name)
end
+ def search_with_public_emails(query)
+ return none if query.blank?
+
+ query = query.downcase
+
+ where(
+ fuzzy_arel_match(:name, query, use_minimum_char_limit: user_search_minimum_char_limit)
+ .or(fuzzy_arel_match(:username, query, use_minimum_char_limit: user_search_minimum_char_limit))
+ .or(arel_table[:public_email].eq(query))
+ )
+ end
+
def search_without_secondary_emails(query)
return none if query.blank?