Skip to content

Users search in command palette should only return users from your groups/projects

Background

Global searches for users do not include any concept or filtering at the organization level. Autocomplete searches for users on the same cell will be able to see all users from all organizations on the cell.

Additionally, users have requested that Autocomplete for users only return users from groups and projects for which they are a member. Because of the nature of the command palette and autocomplete, I do not think Admin users should have different behavior.

From the duplicate issue:

Currently, when users perform a global search using /@ in the command window, the search results also display names outside their organization. This creates unnecessary noise for users who are primarily interested in searching within their own organization.

Expected Behavior:

  • When using the global command window with /@, search results should be limited to users within the current organization
  • Search results should not display users from other organizations

Business Impact:

  • Improved efficiency in searching for relevant users
  • Better user experience due to cleaner and more relevant search results
  • Less typing required to find the user name you are looking for

Open Questions:

  • How to organize the switch between global and org searches?
  • What should be the default (global or restricted to one's own org)?

Technical information

Existing autocomplete search for users is performed in:

Note: Since autocomplete uses SearchService to do the search, it can be backed by basic search (Postgres) or Advanced search (Elasticsearch)

Proposal

Autocomplete searches for users should apply user group and project authorizations.

This fix should be applied for Advanced search and Basic search.

It should be delivered in multiple MRs behind a feature flag.

  1. Advanced search
    • Modifications should take place in Elastic::Latest::UserClassProxy.
    • Need to pass down an option that let's the query know it's coming from autocomplete to ensure that the changes only affect global searches (searches where project_id and group_id are not provided) that come from the command palette and not the search UI.
    • Use the Search::GroupsFinder and Search::ProjectsFinder to get the list of groups and projects to pass into the Elasticsearch query.
  2. Basic search
    • Modifications should take place in Gitlab::SearchResults and UsersFinder.
    • Need to pass down an option to the search results class to let the query know it's coming from autocomplete and should apply user group and project authorizations.
    • UserFinder does not include the ability to filter by group or project, the finder needs to be modified to do so
Edited by Terri Chu