From 982368dc55bbd22f82bf908f8af220056202a65a Mon Sep 17 00:00:00 2001
From: DJ Mountney <david@twkie.net>
Date: Thu, 8 Jun 2017 09:52:27 -0700
Subject: Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users

See merge request !2100
---
 app/controllers/autocomplete_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/controllers/autocomplete_controller.rb')

diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 907717dcb96..fe331a883c1 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
         @users = [current_user, *@users].uniq
       end
 
-      if params[:author_id].present?
+      if params[:author_id].present? && current_user
         author = User.find_by_id(params[:author_id])
         @users = [author, *@users].uniq if author
       end
-- 
cgit v1.2.3