Commit 982368dc authored by DJ Mountney's avatar DJ Mountney

Merge branch 'dz-restrict-autocomplete' into 'security-9-1'

Allow users autocomplete by author_id only for authenticated users

See merge request !2100
parent 7113b1a4
...@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController ...@@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
@users = [current_user, *@users].uniq @users = [current_user, *@users].uniq
end end
if params[:author_id].present? if params[:author_id].present? && current_user
author = User.find_by_id(params[:author_id]) author = User.find_by_id(params[:author_id])
@users = [author, *@users].uniq if author @users = [author, *@users].uniq if author
end end
......
...@@ -170,12 +170,13 @@ describe AutocompleteController do ...@@ -170,12 +170,13 @@ describe AutocompleteController do
end end
context 'author of issuable included' do context 'author of issuable included' do
let(:body) { JSON.parse(response.body) }
context 'authenticated' do
before do before do
sign_in(user) sign_in(user)
end end
let(:body) { JSON.parse(response.body) }
it 'includes the author' do it 'includes the author' do
get(:users, author_id: non_member.id) get(:users, author_id: non_member.id)
...@@ -189,6 +190,15 @@ describe AutocompleteController do ...@@ -189,6 +190,15 @@ describe AutocompleteController do
end end
end end
context 'without authenticating' do
it 'returns empty result' do
get(:users, author_id: non_member.id)
expect(body).to be_empty
end
end
end
context 'skip_users parameter included' do context 'skip_users parameter included' do
before { sign_in(user) } before { sign_in(user) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment