Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users See merge request !2100

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
Allow users autocomplete by author_id only for authenticated users See merge request !2100
982368dc · DJ Mountney · 7113b1a4 · 982368dc · 982368dc
Commit 982368dc authored Jun 08, 2017 by DJ Mountney
Showing with 21 additions and 11 deletions

app/controllers/autocomplete_controller.rb app/controllers/autocomplete_controller.rb +1 -1

spec/controllers/autocomplete_controller_spec.rb spec/controllers/autocomplete_controller_spec.rb +20 -10

No files found.
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
        @users = [current_user, *@users].uniq
      end

-      if params[:author_id].present?
+      if params[:author_id].present? && current_user
        author = User.find_by_id(params[:author_id])
        @users = [author, *@users].uniq if author
      end

--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -170,12 +170,13 @@ describe AutocompleteController do
    end

    context 'author of issuable included' do
+      let(:body) { JSON.parse(response.body) }
+
+      context 'authenticated' do
        before do
          sign_in(user)
        end

-      let(:body) { JSON.parse(response.body) }
-
        it 'includes the author' do
          get(:users, author_id: non_member.id)

@@ -189,6 +190,15 @@ describe AutocompleteController do
        end
      end

+      context 'without authenticating' do
+        it 'returns empty result' do
+          get(:users, author_id: non_member.id)
+
+          expect(body).to be_empty
+        end
+      end
+    end
+
    context 'skip_users parameter included' do
      before { sign_in(user) }