Commit d7a3e54b authored by Alexis Reigel's avatar Alexis Reigel

only users from groups the current user has access

parent 0592233a
......@@ -10,7 +10,14 @@ module Gitlab
# rubocop:disable CodeReuse/ActiveRecord
def users
super.where(id: @group.users_with_descendants)
# 1: get all groups the current user has access to
groups = GroupsFinder.new(current_user).execute.joins(:users)
# 2: get all users the current user has access to (-> `SearchResults#users`)
users = super
# 3: filter for users that belong to the previously selected groups
users.where(id: groups.select('members.user_id'))
end
# rubocop:enable CodeReuse/ActiveRecord
end
......
......@@ -27,5 +27,15 @@ describe Gitlab::GroupSearchResults do
expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [user1]
end
it 'does not return the user belonging to the private subgroup', :nested_groups do
user1 = create(:user, username: 'gob_bluth')
subgroup = create(:group, :private, parent: group)
create(:group_member, :developer, user: user1, group: subgroup)
create(:user, username: 'gob_2018')
expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq []
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment