Commit d8dd1c19 authored by Rémy Coutable's avatar Rémy Coutable

Ensure invitees are not returned in Members API

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 7afee665
...@@ -12,6 +12,7 @@ v 8.12.0 (unreleased) ...@@ -12,6 +12,7 @@ v 8.12.0 (unreleased)
- Update gitlab shell secret file also when it is empty. !3774 (glensc) - Update gitlab shell secret file also when it is empty. !3774 (glensc)
- Give project selection dropdowns responsive width, make non-wrapping. - Give project selection dropdowns responsive width, make non-wrapping.
- Make push events have equal vertical spacing. - Make push events have equal vertical spacing.
- API: Ensure invitees are not returned in Members API.
- Add two-factor recovery endpoint to internal API !5510 - Add two-factor recovery endpoint to internal API !5510
- Pass the "Remember me" value to the U2F authentication form - Pass the "Remember me" value to the U2F authentication form
- Remove vendor prefixes for linear-gradient CSS (ClemMakesApps) - Remove vendor prefixes for linear-gradient CSS (ClemMakesApps)
......
...@@ -20,7 +20,7 @@ module API ...@@ -20,7 +20,7 @@ module API
access_requesters = paginate(source.requesters.includes(:user)) access_requesters = paginate(source.requesters.includes(:user))
present access_requesters.map(&:user), with: Entities::AccessRequester, access_requesters: access_requesters present access_requesters.map(&:user), with: Entities::AccessRequester, source: source
end end
# Request access to the group/project # Request access to the group/project
......
...@@ -104,18 +104,18 @@ module API ...@@ -104,18 +104,18 @@ module API
class Member < UserBasic class Member < UserBasic
expose :access_level do |user, options| expose :access_level do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id } member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.access_level member.access_level
end end
expose :expires_at do |user, options| expose :expires_at do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id } member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.expires_at member.expires_at
end end
end end
class AccessRequester < UserBasic class AccessRequester < UserBasic
expose :requested_at do |user, options| expose :requested_at do |user, options|
access_requester = options[:access_requester] || options[:access_requesters].find { |m| m.user_id == user.id } access_requester = options[:access_requester] || options[:source].requesters.find_by(user_id: user.id)
access_requester.requested_at access_requester.requested_at
end end
end end
......
...@@ -18,11 +18,11 @@ module API ...@@ -18,11 +18,11 @@ module API
get ":id/members" do get ":id/members" do
source = find_source(source_type, params[:id]) source = find_source(source_type, params[:id])
members = source.members.includes(:user) users = source.users
members = members.joins(:user).merge(User.search(params[:query])) if params[:query] users = users.merge(User.search(params[:query])) if params[:query]
members = paginate(members) users = paginate(users)
present members.map(&:user), with: Entities::Member, members: members present users, with: Entities::Member, source: source
end end
# Get a group/project member # Get a group/project member
......
...@@ -30,9 +30,8 @@ describe API::Members, api: true do ...@@ -30,9 +30,8 @@ describe API::Members, api: true do
let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members", stranger) } let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members", stranger) }
end end
context 'when authenticated as a non-member' do %i[master developer access_requester stranger].each do |type|
%i[access_requester stranger].each do |type| context "when authenticated as a #{type}" do
context "as a #{type}" do
it 'returns 200' do it 'returns 200' do
user = public_send(type) user = public_send(type)
get api("/#{source_type.pluralize}/#{source.id}/members", user) get api("/#{source_type.pluralize}/#{source.id}/members", user)
...@@ -42,6 +41,14 @@ describe API::Members, api: true do ...@@ -42,6 +41,14 @@ describe API::Members, api: true do
end end
end end
end end
it 'does not return invitees' do
invitee = create(:"#{source_type}_member", invite_token: '123', invite_email: 'test@abc.com', source: source, user: nil)
get api("/#{source_type.pluralize}/#{source.id}/members", developer)
expect(response).to have_http_status(200)
expect(json_response.size).to eq(2)
end end
it 'finds members with query string' do it 'finds members with query string' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment