Skip to content

G
gitlab-ce
Commit d7a3e54b authored by Alexis Reigel's avatar Alexis Reigel
Browse files
Options

only users from groups the current user has access

parent 0592233a
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 1 deletion
lib/gitlab/group_search_results.rb
View file @ d7a3e54b
...@@ -10,7 +10,14 @@ module Gitlab ...@@ -10,7 +10,14 @@ module Gitlab
# rubocop:disable CodeReuse/ActiveRecord # rubocop:disable CodeReuse/ActiveRecord
def users def users
super.where(id: @group.users_with_descendants) # 1: get all groups the current user has access to
groups = GroupsFinder.new(current_user).execute.joins(:users)
# 2: get all users the current user has access to (-> `SearchResults#users`)
users = super
# 3: filter for users that belong to the previously selected groups
users.where(id: groups.select('members.user_id'))
end end
# rubocop:enable CodeReuse/ActiveRecord # rubocop:enable CodeReuse/ActiveRecord
end end
......
spec/lib/gitlab/group_search_results_spec.rb
View file @ d7a3e54b
...@@ -27,5 +27,15 @@ describe Gitlab::GroupSearchResults do ...@@ -27,5 +27,15 @@ describe Gitlab::GroupSearchResults do
expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [user1] expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [user1]
end end
it 'does not return the user belonging to the private subgroup', :nested_groups do
user1 = create(:user, username: 'gob_bluth')
subgroup = create(:group, :private, parent: group)
create(:group_member, :developer, user: user1, group: subgroup)
create(:user, username: 'gob_2018')
expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq []
end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7