Commit d8dd1c19 authored by Rémy Coutable's avatar Rémy Coutable

Ensure invitees are not returned in Members API

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 7afee665
......@@ -12,6 +12,7 @@ v 8.12.0 (unreleased)
- Update gitlab shell secret file also when it is empty. !3774 (glensc)
- Give project selection dropdowns responsive width, make non-wrapping.
- Make push events have equal vertical spacing.
- API: Ensure invitees are not returned in Members API.
- Add two-factor recovery endpoint to internal API !5510
- Pass the "Remember me" value to the U2F authentication form
- Remove vendor prefixes for linear-gradient CSS (ClemMakesApps)
......
......@@ -20,7 +20,7 @@ module API
access_requesters = paginate(source.requesters.includes(:user))
present access_requesters.map(&:user), with: Entities::AccessRequester, access_requesters: access_requesters
present access_requesters.map(&:user), with: Entities::AccessRequester, source: source
end
# Request access to the group/project
......
......@@ -104,18 +104,18 @@ module API
class Member < UserBasic
expose :access_level do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id }
member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.access_level
end
expose :expires_at do |user, options|
member = options[:member] || options[:members].find { |m| m.user_id == user.id }
member = options[:member] || options[:source].members.find_by(user_id: user.id)
member.expires_at
end
end
class AccessRequester < UserBasic
expose :requested_at do |user, options|
access_requester = options[:access_requester] || options[:access_requesters].find { |m| m.user_id == user.id }
access_requester = options[:access_requester] || options[:source].requesters.find_by(user_id: user.id)
access_requester.requested_at
end
end
......
......@@ -18,11 +18,11 @@ module API
get ":id/members" do
source = find_source(source_type, params[:id])
members = source.members.includes(:user)
members = members.joins(:user).merge(User.search(params[:query])) if params[:query]
members = paginate(members)
users = source.users
users = users.merge(User.search(params[:query])) if params[:query]
users = paginate(users)
present members.map(&:user), with: Entities::Member, members: members
present users, with: Entities::Member, source: source
end
# Get a group/project member
......
......@@ -30,9 +30,8 @@ describe API::Members, api: true do
let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members", stranger) }
end
context 'when authenticated as a non-member' do
%i[access_requester stranger].each do |type|
context "as a #{type}" do
%i[master developer access_requester stranger].each do |type|
context "when authenticated as a #{type}" do
it 'returns 200' do
user = public_send(type)
get api("/#{source_type.pluralize}/#{source.id}/members", user)
......@@ -42,6 +41,14 @@ describe API::Members, api: true do
end
end
end
it 'does not return invitees' do
invitee = create(:"#{source_type}_member", invite_token: '123', invite_email: 'test@abc.com', source: source, user: nil)
get api("/#{source_type.pluralize}/#{source.id}/members", developer)
expect(response).to have_http_status(200)
expect(json_response.size).to eq(2)
end
it 'finds members with query string' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment