restrict user result set by the scoped group

author: Alexis Reigel <alexis.reigel.ext@siemens.com> 2018-12-17 16:30:49 +0300
committer: Alexis Reigel <alexis.reigel.ext@siemens.com> 2019-03-14 20:21:02 +0300
commit: db0cf709703f0cc344351d2a8fd28d7d51046296 (patch)
tree: c43fc1b4fcc72537f4688a5f07ad3932c254bf91 /lib/gitlab/group_search_results.rb
parent: 3b01d23af0a17e269bbd39eab0d54b55d9b84b3e (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/gitlab/group_search_results.rb b/lib/gitlab/group_search_results.rb
index 8223135dc07..7255293b194 100644
--- a/lib/gitlab/group_search_results.rb
+++ b/lib/gitlab/group_search_results.rb
@@ -13,11 +13,17 @@ module Gitlab
       # 1: get all groups the current user has access to
       groups = GroupsFinder.new(current_user).execute.joins(:users)
 
-      # 2: get all users the current user has access to (-> `SearchResults#users`)
+      # 2: Get the group's whole hierarchy
+      group_users = @group.direct_and_indirect_users
+
+      # 3: get all users the current user has access to (->
+      # `SearchResults#users`), which also applies the query.
       users = super
 
-      # 3: filter for users that belong to the previously selected groups
-      users.where(id: groups.select('members.user_id'))
+      # 4: filter for users that belong to the previously selected groups
+      users
+        .where(id: group_users.select('id'))
+        .where(id: groups.select('members.user_id'))
     end
     # rubocop:enable CodeReuse/ActiveRecord
   end
author	Alexis Reigel <alexis.reigel.ext@siemens.com>	2018-12-17 16:30:49 +0300
committer	Alexis Reigel <alexis.reigel.ext@siemens.com>	2019-03-14 20:21:02 +0300
commit	db0cf709703f0cc344351d2a8fd28d7d51046296 (patch)
tree	c43fc1b4fcc72537f4688a5f07ad3932c254bf91 /lib/gitlab/group_search_results.rb
parent	3b01d23af0a17e269bbd39eab0d54b55d9b84b3e (diff)