only users from groups the current user has access

b317d082 · Alexis Reigel · Jan Provaznik · 6c7a925e · b317d082 · b317d082
Commit b317d082 authored 6 years ago by Alexis Reigel Committed by Jan Provaznik 6 years ago
--- a/lib/gitlab/group_search_results.rb
+++ b/lib/gitlab/group_search_results.rb
@@ -10,7 +10,14 @@ def initialize(current_user, limit_projects, group, query, default_project_filte

    # rubocop:disable CodeReuse/ActiveRecord
    def users
-      super.where(id: @group.users_with_descendants)
+      # 1: get all groups the current user has access to
+      groups = GroupsFinder.new(current_user).execute.joins(:users)
+
+      # 2: get all users the current user has access to (-> `SearchResults#users`)
+      users = super
+
+      # 3: filter for users that belong to the previously selected groups
+      users.where(id: groups.select('members.user_id'))
    end
    # rubocop:enable CodeReuse/ActiveRecord
  end

--- a/spec/lib/gitlab/group_search_results_spec.rb
+++ b/spec/lib/gitlab/group_search_results_spec.rb
@@ -27,5 +27,15 @@

      expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq [user1]
    end
+
+    it 'does not return the user belonging to the private subgroup', :nested_groups do
+      user1 = create(:user, username: 'gob_bluth')
+      subgroup = create(:group, :private, parent: group)
+      create(:group_member, :developer, user: user1, group: subgroup)
+
+      create(:user, username: 'gob_2018')
+
+      expect(described_class.new(user, anything, group, 'gob').objects('users')).to eq []
+    end
  end
 end