Merge branch 'dz-restrict-autocomplete' into 'security-9-1'
Allow users autocomplete by author_id only for authenticated users See merge request !2100
This commit is contained in:
parent
7113b1a45b
commit
982368dc55
|
@ -21,7 +21,7 @@ class AutocompleteController < ApplicationController
|
|||
@users = [current_user, *@users].uniq
|
||||
end
|
||||
|
||||
if params[:author_id].present?
|
||||
if params[:author_id].present? && current_user
|
||||
author = User.find_by_id(params[:author_id])
|
||||
@users = [author, *@users].uniq if author
|
||||
end
|
||||
|
|
|
@ -170,22 +170,32 @@ describe AutocompleteController do
|
|||
end
|
||||
|
||||
context 'author of issuable included' do
|
||||
before do
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
let(:body) { JSON.parse(response.body) }
|
||||
|
||||
it 'includes the author' do
|
||||
get(:users, author_id: non_member.id)
|
||||
context 'authenticated' do
|
||||
before do
|
||||
sign_in(user)
|
||||
end
|
||||
|
||||
expect(body.first["username"]).to eq non_member.username
|
||||
it 'includes the author' do
|
||||
get(:users, author_id: non_member.id)
|
||||
|
||||
expect(body.first["username"]).to eq non_member.username
|
||||
end
|
||||
|
||||
it 'rejects non existent user ids' do
|
||||
get(:users, author_id: 99999)
|
||||
|
||||
expect(body.collect { |u| u['id'] }).not_to include(99999)
|
||||
end
|
||||
end
|
||||
|
||||
it 'rejects non existent user ids' do
|
||||
get(:users, author_id: 99999)
|
||||
context 'without authenticating' do
|
||||
it 'returns empty result' do
|
||||
get(:users, author_id: non_member.id)
|
||||
|
||||
expect(body.collect { |u| u['id'] }).not_to include(99999)
|
||||
expect(body).to be_empty
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue