Merge branch '346247_authorize_auto_complete_action_for_vulnerabilities' into 'master'

Do not try to auto-complete vulnerabilities if the user is nil See merge request gitlab-org/gitlab!75112

Merge branch '346247_authorize_auto_complete_action_for_vulnerabilities' into 'master'
Do not try to auto-complete vulnerabilities if the user is nil See merge request gitlab-org/gitlab!75112
74c27d7c · Vitali Tatarintev · f51f45b9 · 3e0173cc · 74c27d7c · 74c27d7c
Commit 74c27d7c authored Nov 24, 2021 by Vitali Tatarintev
2 changed files
--- a/ee/app/finders/autocomplete/vulnerabilities_autocomplete_finder.rb
+++ b/ee/app/finders/autocomplete/vulnerabilities_autocomplete_finder.rb
@@ -20,7 +20,7 @@ module Autocomplete
    DEFAULT_AUTOCOMPLETE_LIMIT = 5

    def execute
-      return ::Vulnerability.none unless vulnerable.feature_available?(:security_dashboard)
+      return ::Vulnerability.none unless current_user && vulnerable.feature_available?(:security_dashboard)

      ::Security::VulnerabilitiesFinder # rubocop: disable CodeReuse/Finder
        .new(vulnerable)

--- a/ee/spec/finders/autocomplete/vulnerabilities_autocomplete_finder_spec.rb
+++ b/ee/spec/finders/autocomplete/vulnerabilities_autocomplete_finder_spec.rb
@@ -7,64 +7,73 @@ RSpec.describe Autocomplete::VulnerabilitiesAutocompleteFinder do
    let_it_be(:group, refind: true) { create(:group) }
    let_it_be(:project, refind: true) { create(:project, group: group) }
    let_it_be(:vulnerability) { create(:vulnerability, project: project) }
-    let(:params) { {} }

-    let_it_be(:user) { create(:user) }
+    let(:params) { {} }

    subject { described_class.new(user, vulnerable, params).execute }

    shared_examples 'autocomplete vulnerabilities finder' do
-      context 'when user does not have access to project' do
+      context 'when the given user is nil' do
+        let(:user) { nil }
+
        it { is_expected.to be_empty }
      end

-      context 'when user has access to project' do
-        before do
-          vulnerable.add_developer(user)
-        end
+      context 'when the given user is not nil' do
+        let_it_be(:user) { create(:user) }

-        context 'when security dashboards are not enabled' do
+        context 'when user does not have access to project' do
          it { is_expected.to be_empty }
        end

-        context 'when security dashboards are enabled' do
+        context 'when user has access to project' do
          before do
-            stub_licensed_features(security_dashboard: true)
+            vulnerable.add_developer(user)
          end

-          it { is_expected.to match_array([vulnerability]) }
+          context 'when security dashboards are not enabled' do
+            it { is_expected.to be_empty }
+          end

-          context 'when multiple vulnerabilities are found' do
+          context 'when security dashboards are enabled' do
            before do
-              create_list(:vulnerability, 10, project: project)
+              stub_licensed_features(security_dashboard: true)
            end

-            it 'returns max 5 items' do
-              expect(subject.count).to eq(5)
-            end
+            it { is_expected.to match_array([vulnerability]) }

-            it 'is sorted descending by id' do
-              expect(subject).to be_sorted(:id, :desc)
-            end
-          end
+            context 'when multiple vulnerabilities are found' do
+              before do
+                create_list(:vulnerability, 10, project: project)
+              end

-          context 'when search is provided in params' do
-            context 'and it matches ID of vulnerability' do
-              let(:params) { { search: vulnerability.id.to_s } }
+              it 'returns max 5 items' do
+                expect(subject.count).to eq(5)
+              end

-              it { is_expected.to match_array([vulnerability]) }
+              it 'is sorted descending by id' do
+                expect(subject).to be_sorted(:id, :desc)
+              end
            end

-            context 'and it matches title of vulnerability' do
-              let(:params) { { search: vulnerability.title } }
+            context 'when search is provided in params' do
+              context 'and it matches ID of vulnerability' do
+                let(:params) { { search: vulnerability.id.to_s } }

-              it { is_expected.to match_array([vulnerability]) }
-            end
+                it { is_expected.to match_array([vulnerability]) }
+              end
+
+              context 'and it matches title of vulnerability' do
+                let(:params) { { search: vulnerability.title } }
+
+                it { is_expected.to match_array([vulnerability]) }
+              end

-            context 'and it does not match neither title or id of vulnerability' do
-              let(:params) { { search: non_existing_record_id.to_s } }
+              context 'and it does not match neither title or id of vulnerability' do
+                let(:params) { { search: non_existing_record_id.to_s } }

-              it { is_expected.to be_empty }
+                it { is_expected.to be_empty }
+              end
            end
          end
        end