restrict user result set by the scoped group

2018-12-17 14:30:49 +01:00 · 2018-12-17 14:30:49 +01:00 · db0cf70970
commit db0cf70970
parent 3b01d23af0
2 changed files with 19 additions and 3 deletions
--- a/lib/gitlab/group_search_results.rb
+++ b/lib/gitlab/group_search_results.rb
@ -13,11 +13,17 @@ module Gitlab
      # 1: get all groups the current user has access to
      groups = GroupsFinder.new(current_user).execute.joins(:users)

-      # 2: get all users the current user has access to (-> `SearchResults#users`)
+      # 2: Get the group's whole hierarchy
+      group_users = @group.direct_and_indirect_users
+
+      # 3: get all users the current user has access to (->
+      # `SearchResults#users`), which also applies the query.
      users = super

-      # 3: filter for users that belong to the previously selected groups
-      users.where(id: groups.select('members.user_id'))
+      # 4: filter for users that belong to the previously selected groups
+      users
+        .where(id: group_users.select('id'))
+        .where(id: groups.select('members.user_id'))
    end
    # rubocop:enable CodeReuse/ActiveRecord
  end
--- a/spec/lib/gitlab/group_search_results_spec.rb
+++ b/spec/lib/gitlab/group_search_results_spec.rb
@ -55,5 +55,15 @@ describe Gitlab::GroupSearchResults do

      expect(result).to eq []
    end
+
+    it 'does not return the user belonging to an unrelated group' do
+      user = create(:user, username: 'gob_bluth')
+      unrelated_group = create(:group)
+      create(:group_member, :developer, user: user, group: unrelated_group)
+
+      result = described_class.new(user, anything, group, 'gob').objects('users')
+
+      expect(result).to eq []
+    end
  end
 end