BigW Consortium Gitlab

Skip to content

G
gitlab-ce
Commit 664ee814 by Robert Speicher Committed by Timothy Andrew
Options

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users See merge request !2100
parent 6a9efdc5
Showing with 25 additions and 11 deletions
app/controllers/autocomplete_controller.rb
......@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
@users = [current_user, *@users].uniq
end
if params[:author_id].present?
if params[:author_id].present? && current_user
author = User.find_by_id(params[:author_id])
@users = [author, *@users].uniq if author
end
......
changelogs/unreleased/dz-restrict-autocomplete.yml 0 → 100644
---
title: Allow users autocomplete by author_id only for authenticated users
merge_request:
author:
spec/controllers/autocomplete_controller_spec.rb
......@@ -156,22 +156,32 @@ describe AutocompleteController do
end
context 'author of issuable included' do
before do
sign_in(user)
end
let(:body) { JSON.parse(response.body) }
it 'includes the author' do
get(:users, author_id: non_member.id)
context 'authenticated' do
before do
sign_in(user)
end
it 'includes the author' do
get(:users, author_id: non_member.id)
expect(body.first["username"]).to eq non_member.username
end
it 'rejects non existent user ids' do
get(:users, author_id: 99999)
expect(body.first["username"]).to eq non_member.username
expect(body.collect { |u| u['id'] }).not_to include(99999)
end
end
it 'rejects non existent user ids' do
get(:users, author_id: 99999)
context 'without authenticating' do
it 'returns empty result' do
get(:users, author_id: non_member.id)
expect(body.collect { |u| u['id'] }).not_to include(99999)
expect(body).to be_empty
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment