Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'

(10.2) Avoid partial partial email adresses for matching

See merge request gitlab/gitlabhq!2232

(cherry picked from commit 081aa1e91a777c9acb31be4a1e76b3dd7032fa9a)

There are unresolved conflicts in app/models/user.rb.

fa85a3fd Don't allow searching for partial user emails

1 files changed, 21 insertions, 0 deletions

diff --git a/spec/features/groups/members/manage_members.rb b/spec/features/groups/members/manage_members.rb
index da1e17225db..21f7b4999ad 100644
--- a/spec/features/groups/members/manage_members.rb
+++ b/spec/features/groups/members/manage_members.rb
@@ -38,6 +38,27 @@ feature 'Groups > Members > Manage members' do
     end
   end
 
+  scenario 'do not disclose email addresses', :js do
+    group.add_owner(user1)
+    create(:user, email: 'undisclosed_email@gitlab.com', name: "Jane 'invisible' Doe")
+
+    visit group_group_members_path(group)
+
+    find('.select2-container').click
+    select_input = find('.select2-input')
+
+    select_input.send_keys('@gitlab.com')
+    wait_for_requests
+
+    expect(page).to have_content('No matches found')
+
+    select_input.native.clear
+    select_input.send_keys('undisclosed_email@gitlab.com')
+    wait_for_requests
+
+    expect(page).to have_content("Jane 'invisible' Doe")
+  end
+
   scenario 'remove user from group', :js do
     group.add_owner(user1)
     group.add_developer(user2)