From 41fd6d4d38aaef723e501ff3ab38ae63e31d4efb Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 3 Feb 2022 11:28:54 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee

---
 app/finders/users_finder.rb |  2 +-
 app/models/user.rb          | 19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb
index 8054ecbd502..2b4ce615090 100644
--- a/app/finders/users_finder.rb
+++ b/app/finders/users_finder.rb
@@ -74,7 +74,7 @@ class UsersFinder
   def by_search(users)
     return users unless params[:search].present?
 
-    users.search(params[:search])
+    users.search(params[:search], with_private_emails: current_user&.admin?)
   end
 
   def by_blocked(users)
diff --git a/app/models/user.rb b/app/models/user.rb
index a587723053f..1d452fc2e50 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -648,6 +648,7 @@ class User < ApplicationRecord
     # This method uses ILIKE on PostgreSQL.
     #
     # query - The search query as a String
+    # with_private_emails - include private emails in search
     #
     # Returns an ActiveRecord::Relation.
     def search(query, **options)
@@ -660,14 +661,16 @@ class User < ApplicationRecord
         CASE
           WHEN users.name = :query THEN 0
           WHEN users.username = :query THEN 1
-          WHEN users.email = :query THEN 2
+          WHEN users.public_email = :query THEN 2
           ELSE 3
         END
       SQL
 
       sanitized_order_sql = Arel.sql(sanitize_sql_array([order, query: query]))
 
-      search_with_secondary_emails(query).reorder(sanitized_order_sql, :name)
+      scope = options[:with_private_emails] ? search_with_secondary_emails(query) : search_with_public_emails(query)
+
+      scope.reorder(sanitized_order_sql, :name)
     end
 
     # Limits the result set to users _not_ in the given query/list of IDs.
@@ -682,6 +685,18 @@ class User < ApplicationRecord
       reorder(:name)
     end
 
+    def search_with_public_emails(query)
+      return none if query.blank?
+
+      query = query.downcase
+
+      where(
+        fuzzy_arel_match(:name, query, use_minimum_char_limit: user_search_minimum_char_limit)
+          .or(fuzzy_arel_match(:username, query, use_minimum_char_limit: user_search_minimum_char_limit))
+          .or(arel_table[:public_email].eq(query))
+      )
+    end
+
     def search_without_secondary_emails(query)
       return none if query.blank?
 
-- 
cgit v1.2.3