Merge branch '22065-group-members-api-returning-null-user-details' into 'master'

Ensure invitees are not returned in Members API ## What are the relevant issue numbers? Closes #22065 See merge request !6370

Merge branch '22065-group-members-api-returning-null-user-details' into 'master'
Ensure invitees are not returned in Members API ## What are the relevant issue numbers? Closes #22065 See merge request !6370
2f597386 · Robert Speicher · Ruben Davila · 82642a4b · 2f597386 · 2f597386
Commit 2f597386 authored Sep 20, 2016 by Robert Speicher Committed by Ruben Davila Sep 20, 2016
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -14,6 +14,7 @@ v 8.12.0 (unreleased)
  - Give project selection dropdowns responsive width, make non-wrapping.
  - Fix note form hint showing slash commands supported for commits.
  - Make push events have equal vertical spacing.
+  - API: Ensure invitees are not returned in Members API.
  - Add two-factor recovery endpoint to internal API !5510
  - Pass the "Remember me" value to the U2F authentication form
  - Display stages in valid order in stages dropdown on build page

--- a/lib/api/access_requests.rb
+++ b/lib/api/access_requests.rb
@@ -20,7 +20,7 @@ module API
          access_requesters = paginate(source.requesters.includes(:user))
-          present access_requesters.map(&:user), with: Entities::AccessRequester, access_requesters: access_requesters
+          present access_requesters.map(&:user), with: Entities::AccessRequester, source: source
        end
        # Request access to the group/project

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -104,18 +104,18 @@ module API
    class Member < UserBasic
      expose :access_level do |user, options|
-        member = options[:member] || options[:members].find { |m| m.user_id == user.id }
+        member = options[:member] || options[:source].members.find_by(user_id: user.id)
        member.access_level
      end
      expose :expires_at do |user, options|
-        member = options[:member] || options[:members].find { |m| m.user_id == user.id }
+        member = options[:member] || options[:source].members.find_by(user_id: user.id)
        member.expires_at
      end
    end
    class AccessRequester < UserBasic
      expose :requested_at do |user, options|
-        access_requester = options[:access_requester] || options[:access_requesters].find { |m| m.user_id == user.id }
+        access_requester = options[:access_requester] || options[:source].requesters.find_by(user_id: user.id)
        access_requester.requested_at
      end
    end

--- a/lib/api/members.rb
+++ b/lib/api/members.rb
@@ -18,11 +18,11 @@ module API
        get ":id/members" do
          source = find_source(source_type, params[:id])
-          members = source.members.includes(:user)
+          users = source.users
-          members = members.joins(:user).merge(User.search(params[:query])) if params[:query]
+          users = users.merge(User.search(params[:query])) if params[:query]
-          members = paginate(members)
+          users = paginate(users)
-          present members.map(&:user), with: Entities::Member, members: members
+          present users, with: Entities::Member, source: source
        end
        # Get a group/project member

--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -30,20 +30,29 @@ describe API::Members, api: true  do
        let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members", stranger) }
      end
-      context 'when authenticated as a non-member' do
+      %i[master developer access_requester stranger].each do |type|
-        %i[access_requester stranger].each do |type|
+        context "when authenticated as a #{type}" do
-          context "as a #{type}" do
+          it 'returns 200' do
-            it 'returns 200' do
+            user = public_send(type)
-              user = public_send(type)
+            get api("/#{source_type.pluralize}/#{source.id}/members", user)
-              get api("/#{source_type.pluralize}/#{source.id}/members", user)
-              expect(response).to have_http_status(200)
+            expect(response).to have_http_status(200)
-              expect(json_response.size).to eq(2)
+            expect(json_response.size).to eq(2)
-            end
+            expect(json_response.map { |u| u['id'] }).to match_array [master.id, developer.id]
          end
        end
      end
+      it 'does not return invitees' do
+        create(:"#{source_type}_member", invite_token: '123', invite_email: 'test@abc.com', source: source, user: nil)
+        get api("/#{source_type.pluralize}/#{source.id}/members", developer)
+        expect(response).to have_http_status(200)
+        expect(json_response.size).to eq(2)
+        expect(json_response.map { |u| u['id'] }).to match_array [master.id, developer.id]
+      end
      it 'finds members with query string' do
        get api("/#{source_type.pluralize}/#{source.id}/members", developer), query: master.username