Commit 524f6515 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Only expand ancestors when searching

Not all_groups, since that would expose groups the user does not have
access to
parent da5073cc
module GroupTree
def render_group_tree(groups)
if params[:filter].present?
@groups = Gitlab::GroupHierarchy.new(groups).all_groups
@groups = Gitlab::GroupHierarchy.new(@groups.search(params[:filter])).base_and_ancestors
@groups = if params[:filter].present?
Gitlab::GroupHierarchy.new(groups.search(params[:filter]))
.base_and_ancestors
else
# Only show root groups if no parent-id is given
@groups = groups.where(parent_id: params[:parent_id])
groups.where(parent_id: params[:parent_id])
end
@groups = @groups.with_selects_for_list
.sort(@sort = params[:sort])
......
......@@ -9,7 +9,7 @@ describe GroupTree do
include GroupTree # rubocop:disable RSpec/DescribedClass
def index
render_group_tree Group.all
render_group_tree GroupsFinder.new(current_user).execute
end
end
......@@ -52,6 +52,17 @@ describe GroupTree do
expect(assigns(:groups)).to contain_exactly(group, subgroup)
end
it 'does not include groups the user does not have access to' do
parent = create(:group, :private)
subgroup = create(:group, :private, parent: parent, name: 'filter')
subgroup.add_developer(user)
_other_subgroup = create(:group, :private, parent: parent, name: 'filte')
get :index, filter: 'filt', format: :json
expect(assigns(:groups)).to contain_exactly(parent, subgroup)
end
end
context 'json content' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment