Search autocomplete should only return users from your groups/projects
Background
Global searches for users do not include any concept or filtering at the organization level. Autocomplete searches for users on the same cell will be able to see all users from all organizations on the cell.
Additionally, users have requested that Autocomplete for users only return users from groups and projects for which they are a member. Because of the nature of the command palette and autocomplete, I do not think Admin users should have different behavior.
Proposal
Existing autocomplete search for users is performed in:
SearchController
-
SearcHelper
users_autocomplete
The following changes need to be implemented:
- Autocomplete searches for users should always apply user group and project authorizations
Note: Since autocomplete uses SearchService
to do the search, it can be backed by basic search (Postgres) or Advanced search (Elasticsearch)