Commit 524f6515 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Only expand ancestors when searching

Not all_groups, since that would expose groups the user does not have
access to
parent da5073cc
module GroupTree module GroupTree
def render_group_tree(groups) def render_group_tree(groups)
if params[:filter].present? @groups = if params[:filter].present?
@groups = Gitlab::GroupHierarchy.new(groups).all_groups Gitlab::GroupHierarchy.new(groups.search(params[:filter]))
@groups = Gitlab::GroupHierarchy.new(@groups.search(params[:filter])).base_and_ancestors .base_and_ancestors
else else
# Only show root groups if no parent-id is given # Only show root groups if no parent-id is given
@groups = groups.where(parent_id: params[:parent_id]) groups.where(parent_id: params[:parent_id])
end end
@groups = @groups.with_selects_for_list @groups = @groups.with_selects_for_list
.sort(@sort = params[:sort]) .sort(@sort = params[:sort])
......
...@@ -9,7 +9,7 @@ describe GroupTree do ...@@ -9,7 +9,7 @@ describe GroupTree do
include GroupTree # rubocop:disable RSpec/DescribedClass include GroupTree # rubocop:disable RSpec/DescribedClass
def index def index
render_group_tree Group.all render_group_tree GroupsFinder.new(current_user).execute
end end
end end
...@@ -52,6 +52,17 @@ describe GroupTree do ...@@ -52,6 +52,17 @@ describe GroupTree do
expect(assigns(:groups)).to contain_exactly(group, subgroup) expect(assigns(:groups)).to contain_exactly(group, subgroup)
end end
it 'does not include groups the user does not have access to' do
parent = create(:group, :private)
subgroup = create(:group, :private, parent: parent, name: 'filter')
subgroup.add_developer(user)
_other_subgroup = create(:group, :private, parent: parent, name: 'filte')
get :index, filter: 'filt', format: :json
expect(assigns(:groups)).to contain_exactly(parent, subgroup)
end
end end
context 'json content' do context 'json content' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment