diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 14:28:54 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 14:28:54 +0300 |
| commit | 41fd6d4d38aaef723e501ff3ab38ae63e31d4efb (patch) | |
| tree | 65f9e06d467a90b39cfc7ea6debc3864d219f7cb /app | |
| parent | abbf44bd6cfb29413b3cf5768b691e5b222b89ea (diff) | |
Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee
Diffstat (limited to 'app')
| -rw-r--r-- | app/finders/users_finder.rb | 2 | ||||
| -rw-r--r-- | app/models/user.rb | 19 |
2 files changed, 18 insertions, 3 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb index 8054ecbd502..2b4ce615090 100644 --- a/app/finders/users_finder.rb +++ b/app/finders/users_finder.rb @@ -74,7 +74,7 @@ class UsersFinder def by_search(users) return users unless params[:search].present? - users.search(params[:search]) + users.search(params[:search], with_private_emails: current_user&.admin?) end def by_blocked(users) diff --git a/app/models/user.rb b/app/models/user.rb index a587723053f..1d452fc2e50 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -648,6 +648,7 @@ class User < ApplicationRecord # This method uses ILIKE on PostgreSQL. # # query - The search query as a String + # with_private_emails - include private emails in search # # Returns an ActiveRecord::Relation. def search(query, **options) @@ -660,14 +661,16 @@ class User < ApplicationRecord CASE WHEN users.name = :query THEN 0 WHEN users.username = :query THEN 1 - WHEN users.email = :query THEN 2 + WHEN users.public_email = :query THEN 2 ELSE 3 END SQL sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query])) - search_with_secondary_emails(query).reorder(sanitized_order_sql, :name) + scope = options[:with_private_emails] ? search_with_secondary_emails(query) : search_with_public_emails(query) + + scope.reorder(sanitized_order_sql, :name) end # Limits the result set to users _not_ in the given query/list of IDs. @@ -682,6 +685,18 @@ class User < ApplicationRecord reorder(:name) end + def search_with_public_emails(query) + return none if query.blank? + + query = query.downcase + + where( + fuzzy_arel_match(:name, query, use_minimum_char_limit: user_search_minimum_char_limit) + .or(fuzzy_arel_match(:username, query, use_minimum_char_limit: user_search_minimum_char_limit)) + .or(arel_table[:public_email].eq(query)) + ) + end + def search_without_secondary_emails(query) return none if query.blank? |