Commit 982368dc authored by DJ Mountney's avatar DJ Mountney

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users

See merge request !2100
parent 7113b1a4
...@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController ...@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
@users = [current_user, *@users].uniq @users = [current_user, *@users].uniq
end end
if params[:author_id].present? if params[:author_id].present? && current_user
author = User.find_by_id(params[:author_id]) author = User.find_by_id(params[:author_id])
@users = [author, *@users].uniq if author @users = [author, *@users].uniq if author
end end
......
...@@ -170,22 +170,32 @@ describe AutocompleteController do ...@@ -170,22 +170,32 @@ describe AutocompleteController do
end end
context 'author of issuable included' do context 'author of issuable included' do
before do
sign_in(user)
end
let(:body) { JSON.parse(response.body) } let(:body) { JSON.parse(response.body) }
it 'includes the author' do context 'authenticated' do
get(:users, author_id: non_member.id) before do
sign_in(user)
end
it 'includes the author' do
get(:users, author_id: non_member.id)
expect(body.first["username"]).to eq non_member.username
end
it 'rejects non existent user ids' do
get(:users, author_id: 99999)
expect(body.first["username"]).to eq non_member.username expect(body.collect { |u| u['id'] }).not_to include(99999)
end
end end
it 'rejects non existent user ids' do context 'without authenticating' do
get(:users, author_id: 99999) it 'returns empty result' do
get(:users, author_id: non_member.id)
expect(body.collect { |u| u['id'] }).not_to include(99999) expect(body).to be_empty
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment