Make sure the user only sees groups he's allowed to see

This commit is contained in:
Bob Van Landuyt 2017-09-26 20:06:08 +02:00
parent b92e7103fc
commit 7a3ba8e984
2 changed files with 40 additions and 2 deletions

View file

@ -73,13 +73,23 @@ class GroupDescendantsFinder
all_available: true).execute
end
def all_descendant_groups
def all_visible_descendant_groups
groups_table = Group.arel_table
visible_for_user = if current_user
groups_table[:id].in(
Arel::Nodes::SqlLiteral.new(GroupsFinder.new(current_user, all_available: true).execute.select(:id).to_sql)
)
else
groups_table[:visibility_level].eq(Gitlab::VisibilityLevel::PUBLIC)
end
Gitlab::GroupHierarchy.new(Group.where(id: parent_group))
.base_and_descendants
.where(visible_for_user)
end
def subgroups_matching_filter
all_descendant_groups
all_visible_descendant_groups
.where.not(id: parent_group)
.search(params[:filter])
end

View file

@ -58,6 +58,19 @@ describe GroupDescendantsFinder do
expect(found_group.preloaded_member_count).to eq(1)
end
it 'does not include subgroups the user does not have access to' do
subgroup.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
public_subgroup = create(:group, :public, parent: group, path: 'public-group')
other_subgroup = create(:group, :private, parent: group, path: 'visible-private-group')
other_user = create(:user)
other_subgroup.add_developer(other_user)
finder = described_class.new(current_user: other_user, parent_group: group)
expect(finder.execute).to contain_exactly(public_subgroup, other_subgroup)
end
context 'with a filter' do
let(:params) { { filter: 'test' } }
@ -68,6 +81,21 @@ describe GroupDescendantsFinder do
expect(finder.execute).to contain_exactly(matching_subgroup, matching_project)
end
it 'does not include subgroups the user does not have access to' do
_invisible_subgroup = create(:group, :private, parent: group, name: 'test1')
other_subgroup = create(:group, :private, parent: group, name: 'test2')
public_subgroup = create(:group, :public, parent: group, name: 'test3')
other_subsubgroup = create(:group, :private, parent: other_subgroup, name: 'test4')
other_user = create(:user)
other_subgroup.add_developer(other_user)
finder = described_class.new(current_user: other_user,
parent_group: group,
params: params)
expect(finder.execute).to contain_exactly(other_subgroup, public_subgroup, other_subsubgroup)
end
context 'with matching children' do
it 'includes a group that has a subgroup matching the query and its parent' do
matching_subgroup = create(:group, name: 'testgroup', parent: subgroup)