diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-08 00:15:06 +0300 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2017-05-08 00:15:06 +0300 |
| commit | 64b69360b635375861222ae3467c7bcf696d9343 (patch) | |
| tree | 8b52ff85bab31cf6804be9ac2fbf4ad7cbb9c4bc | |
| parent | 136df9f80731550057264e675eed53381143d684 (diff) | |
| parent | d9d59cd1a0c4d1b3b93f62f385f73b24d7868f63 (diff) | |
Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
Allow users autocomplete by author_id only for authenticated users
See merge request !2100
| -rw-r--r-- | app/controllers/autocomplete_controller.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/dz-restrict-autocomplete.yml | 4 | ||||
| -rw-r--r-- | spec/controllers/autocomplete_controller_spec.rb | 30 |
3 files changed, 25 insertions, 11 deletions
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb index b79ca034c5b..f94f88305a4 100644 --- a/app/controllers/autocomplete_controller.rb +++ b/app/controllers/autocomplete_controller.rb @@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController @users = [current_user, *@users].uniq end - if params[:author_id].present? + if params[:author_id].present? && current_user author = User.find_by_id(params[:author_id]) @users = [author, *@users].uniq if author end diff --git a/changelogs/unreleased/dz-restrict-autocomplete.yml b/changelogs/unreleased/dz-restrict-autocomplete.yml new file mode 100644 index 00000000000..65c944653f8 --- /dev/null +++ b/changelogs/unreleased/dz-restrict-autocomplete.yml @@ -0,0 +1,4 @@ +--- +title: Allow users autocomplete by author_id only for authenticated users +merge_request: +author: diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb index 7d2f6dd9d0a..14b105c69e5 100644 --- a/spec/controllers/autocomplete_controller_spec.rb +++ b/spec/controllers/autocomplete_controller_spec.rb @@ -156,22 +156,32 @@ describe AutocompleteController do end context 'author of issuable included' do - before do - sign_in(user) - end - let(:body) { JSON.parse(response.body) } - it 'includes the author' do - get(:users, author_id: non_member.id) + context 'authenticated' do + before do + sign_in(user) + end + + it 'includes the author' do + get(:users, author_id: non_member.id) + + expect(body.first["username"]).to eq non_member.username + end + + it 'rejects non existent user ids' do + get(:users, author_id: 99999) - expect(body.first["username"]).to eq non_member.username + expect(body.collect { |u| u['id'] }).not_to include(99999) + end end - it 'rejects non existent user ids' do - get(:users, author_id: 99999) + context 'without authenticating' do + it 'returns empty result' do + get(:users, author_id: non_member.id) - expect(body.collect { |u| u['id'] }).not_to include(99999) + expect(body).to be_empty + end end end |