Commit 4c684a8d authored by Alexis Reigel's avatar Alexis Reigel

check ability for user search results

parent b4437cfa
...@@ -138,6 +138,8 @@ module Gitlab ...@@ -138,6 +138,8 @@ module Gitlab
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def users def users
return User.none unless Ability.allowed?(current_user, :read_users_list)
UsersFinder.new(current_user, search: query).execute UsersFinder.new(current_user, search: query).execute
end end
......
...@@ -123,6 +123,14 @@ describe Gitlab::SearchResults do ...@@ -123,6 +123,14 @@ describe Gitlab::SearchResults do
end end
describe '#users' do describe '#users' do
it 'does not call the UsersFinder when the current_user is not allowed to read users list' do
allow(Ability).to receive(:allowed?).and_return(false)
expect(UsersFinder).not_to receive(:new).with(user, search: 'foo').and_call_original
results.objects('users')
end
it 'calls the UsersFinder' do it 'calls the UsersFinder' do
expect(UsersFinder).to receive(:new).with(user, search: 'foo').and_call_original expect(UsersFinder).to receive(:new).with(user, search: 'foo').and_call_original
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment