Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users See merge request !2100

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
664ee814 · Robert Speicher · Timothy Andrew · 6a9efdc5 · 664ee814 · 664ee814
Commit 664ee814 authored May 07, 2017 by Robert Speicher Committed by Timothy Andrew May 31, 2017
3 changed files
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
        @users = [current_user, *@users].uniq
      end
-      if params[:author_id].present?
+      if params[:author_id].present? && current_user
        author = User.find_by_id(params[:author_id])
        @users = [author, *@users].uniq if author
      end

--- a/changelogs/unreleased/dz-restrict-autocomplete.yml
+++ b/changelogs/unreleased/dz-restrict-autocomplete.yml
+---
+title: Allow users autocomplete by author_id only for authenticated users
+merge_request:
+author:
--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -156,12 +156,13 @@ describe AutocompleteController do
    end
    context 'author of issuable included' do
+      let(:body) { JSON.parse(response.body) }
+      context 'authenticated' do
        before do
          sign_in(user)
        end
-      let(:body) { JSON.parse(response.body) }
        it 'includes the author' do
          get(:users, author_id: non_member.id)
@@ -175,6 +176,15 @@ describe AutocompleteController do
        end
      end
+      context 'without authenticating' do
+        it 'returns empty result' do
+          get(:users, author_id: non_member.id)
+          expect(body).to be_empty
+        end
+      end
+    end
    context 'skip_users parameter included' do
      before { sign_in(user) }