Commit 982368dc authored by DJ Mountney's avatar DJ Mountney

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users

See merge request !2100
parent 7113b1a4
......@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
@users = [current_user, *@users].uniq
end
if params[:author_id].present?
if params[:author_id].present? && current_user
author = User.find_by_id(params[:author_id])
@users = [author, *@users].uniq if author
end
......
......@@ -170,22 +170,32 @@ describe AutocompleteController do
end
context 'author of issuable included' do
before do
sign_in(user)
end
let(:body) { JSON.parse(response.body) }
it 'includes the author' do
get(:users, author_id: non_member.id)
context 'authenticated' do
before do
sign_in(user)
end
it 'includes the author' do
get(:users, author_id: non_member.id)
expect(body.first["username"]).to eq non_member.username
end
it 'rejects non existent user ids' do
get(:users, author_id: 99999)
expect(body.first["username"]).to eq non_member.username
expect(body.collect { |u| u['id'] }).not_to include(99999)
end
end
it 'rejects non existent user ids' do
get(:users, author_id: 99999)
context 'without authenticating' do
it 'returns empty result' do
get(:users, author_id: non_member.id)
expect(body.collect { |u| u['id'] }).not_to include(99999)
expect(body).to be_empty
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment