Restrict access to confidential issues on search results

author: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-03-17 23:48:19 +0300
committer: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-03-18 02:55:59 +0300
commit: f2ba4e3d364671cb100446b584502c5522a751df (patch)
tree: a4355d82ec73cd4457a2be48a79a340ec7158eeb /lib/gitlab/search_results.rb
parent: e4f1c001e6886d6001a258bf2fad75f8b424eff1 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/gitlab/search_results.rb b/lib/gitlab/search_results.rb
index f13528a2eea..f8ab2b1f09e 100644
--- a/lib/gitlab/search_results.rb
+++ b/lib/gitlab/search_results.rb
@@ -1,12 +1,13 @@
 module Gitlab
   class SearchResults
-    attr_reader :query
+    attr_reader :current_user, :query
 
     # Limit search results by passed projects
     # It allows us to search only for projects user has access to
     attr_reader :limit_projects
 
-    def initialize(limit_projects, query)
+    def initialize(current_user, limit_projects, query)
+      @current_user = current_user
       @limit_projects = limit_projects || Project.all
       @query = Shellwords.shellescape(query) if query.present?
     end
@@ -58,7 +59,7 @@ module Gitlab
     end
 
     def issues
-      issues = Issue.where(project_id: project_ids_relation)
+      issues = Issue.visible_to_user(current_user).where(project_id: project_ids_relation)
 
       if query =~ /#(\d+)\z/
         issues = issues.where(iid: $1)
author	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-03-17 23:48:19 +0300
committer	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-03-18 02:55:59 +0300
commit	f2ba4e3d364671cb100446b584502c5522a751df (patch)
tree	a4355d82ec73cd4457a2be48a79a340ec7158eeb /lib/gitlab/search_results.rb
parent	e4f1c001e6886d6001a258bf2fad75f8b424eff1 (diff)