Fix for #33792, users can filter by bad author name and search term in group issues and MRs

f4f0e1b8 · Jesse Hall · Sean McGivern · ecbdf803 · f4f0e1b8 · f4f0e1b8
Commit f4f0e1b8 authored Oct 23, 2019 by Jesse Hall Committed by Sean McGivern Oct 23, 2019
3 changed files
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -483,6 +483,7 @@ class IssuableFinder
  # rubocop: disable CodeReuse/ActiveRecord
  def by_search(items)
    return items unless search
+    return items if items.is_a?(ActiveRecord::NullRelation)

    if use_cte_for_search?
      cte = Gitlab::SQL::RecursiveCTE.new(klass.table_name)

--- a/spec/finders/issues_finder_spec.rb
+++ b/spec/finders/issues_finder_spec.rb
@@ -163,6 +163,20 @@ describe IssuesFinder do
        end
      end

+      context 'filtering by nonexistent author ID and issue term using CTE for search' do
+        let(:params) do
+          {
+            author_id: 'does-not-exist',
+            search: 'git',
+            attempt_group_search_optimizations: true
+          }
+        end
+
+        it 'returns no results' do
+          expect(issues).to be_empty
+        end
+      end
+
      context 'filtering by milestone' do
        let(:params) { { milestone_title: milestone.title } }


--- a/spec/finders/merge_requests_finder_spec.rb
+++ b/spec/finders/merge_requests_finder_spec.rb
@@ -23,6 +23,18 @@ describe MergeRequestsFinder do
        expect(merge_requests).to contain_exactly(merge_request1)
      end

+      it 'filters by nonexistent author ID and MR term using CTE for search' do
+        params = {
+          author_id: 'does-not-exist',
+          search: 'git',
+          attempt_group_search_optimizations: true
+        }
+
+        merge_requests = described_class.new(user, params).execute
+
+        expect(merge_requests).to be_empty
+      end
+
      it 'filters by projects' do
        params = { projects: [project2.id, project3.id] }