Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users See merge request !2100
author: Robert Speicher <robert@gitlab.com> 2017-05-08 00:15:06 +0300
committer: Timothy Andrew <mail@timothyandrew.net> 2017-05-31 06:46:45 +0300
commit: e0833d68175d16d1606a1fed77e92425e5086527 (patch)
tree: ab79c9aa72903c5fd011643957043877faef82cf /app
parent: 960d0fda54f75ca6e856686f826cf2ef37d4eff5 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index d7a45bacd35..a71fbb91f42 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -22,7 +22,7 @@ class AutocompleteController < ApplicationController
         @users = [current_user, *@users]
       end
 
-      if params[:author_id].present?
+      if params[:author_id].present? && current_user
         author = User.find_by_id(params[:author_id])
         @users = [author, *@users].uniq if author
       end
author	Robert Speicher <robert@gitlab.com>	2017-05-08 00:15:06 +0300
committer	Timothy Andrew <mail@timothyandrew.net>	2017-05-31 06:46:45 +0300
commit	e0833d68175d16d1606a1fed77e92425e5086527 (patch)
tree	ab79c9aa72903c5fd011643957043877faef82cf /app
parent	960d0fda54f75ca6e856686f826cf2ef37d4eff5 (diff)