diff options
Diffstat (limited to 'app/finders/users_finder.rb')
-rw-r--r-- | app/finders/users_finder.rb | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb index 88ba635e20b..101562de209 100644 --- a/app/finders/users_finder.rb +++ b/app/finders/users_finder.rb @@ -55,7 +55,16 @@ class UsersFinder private def base_scope - scope = current_user&.can_admin_all_resources? ? User.all : User.without_forbidden_states + group = params[:group] + + if group + raise Gitlab::Access::AccessDeniedError unless user_can_read_group?(group) + + scope = ::Autocomplete::GroupUsersFinder.new(group: group).execute # rubocop: disable CodeReuse/Finder -- For SQL optimization sake we need to scope out group members first see: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137647#note_1664081899 + else + scope = current_user&.can_admin_all_resources? ? User.all : User.without_forbidden_states + end + scope.order_id_desc end @@ -155,6 +164,10 @@ class UsersFinder users.order_by(params[:sort]) end # rubocop: enable CodeReuse/ActiveRecord + + def user_can_read_group?(group) + Ability.allowed?(current_user, :read_group, group) + end end UsersFinder.prepend_mod_with('UsersFinder') |