Don't allow filtering by `in` alone on issue/MR dashboard

When `in` param is set while no `search` param is set, the issues and MRs finder won't use the `in` param. It'll instead skip the filter check and can result to SQL statement timeout. The fix is to check that if `in` param is set but no search, show the "Please select at least one filter to see results" message. Changelog: fixed

Don't allow filtering by `in` alone on issue/MR dashboard
When `in` param is set while no `search` param is set, the issues and MRs finder won't use the `in` param. It'll instead skip the filter check and can result to SQL statement timeout. The fix is to check that if `in` param is set but no search, show the "Please select at least one filter to see results" message. Changelog: fixed
138f3d1a · Patrick Bajao · 1b9dbdc9 · 138f3d1a · 138f3d1a
Commit 138f3d1a authored Mar 11, 2022 by Patrick Bajao
Showing with 26 additions and 7 deletions

app/controllers/dashboard_controller.rb app/controllers/dashboard_controller.rb +6 -1

spec/controllers/dashboard_controller_spec.rb spec/controllers/dashboard_controller_spec.rb +20 -6

No files found.
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -74,7 +74,12 @@ class DashboardController < Dashboard::ApplicationController
    no_scalar_filters_set = finder_type.scalar_params.none? { |k| params[k].present? }
    no_array_filters_set = finder_type.array_params.none? { |k, _| params[k].present? }

-    @no_filters_set = no_scalar_filters_set && no_array_filters_set
+    # The `in` param is a modifier of `search`. If it's present while the `search`
+    # param isn't, the finder won't use the `in` param. We consider this as a no
+    # filter scenario.
+    no_search_filter_set = params[:in].present? && params[:search].blank?
+
+    @no_filters_set = (no_scalar_filters_set && no_array_filters_set) || no_search_filter_set

    return unless @no_filters_set


--- a/spec/controllers/dashboard_controller_spec.rb
+++ b/spec/controllers/dashboard_controller_spec.rb
@@ -111,22 +111,36 @@ RSpec.describe DashboardController do

        it_behaves_like 'no filters are set'
      end
-    end

-    context "scalar filters" do
-      let(:params) { { author_id: user.id } }
+      context 'when in param is set but no search' do
+        let(:params) { { in: 'title' } }

+        it_behaves_like 'no filters are set'
+      end
+    end
+
+    shared_examples_for 'filters are set' do
      it 'sets @no_filters_set to false' do
        expect(assigns[:no_filters_set]).to eq(false)
      end
    end

+    context "scalar filters" do
+      let(:params) { { author_id: user.id } }
+
+      it_behaves_like 'filters are set'
+    end
+
    context "array filters" do
      let(:params) { { label_name: ['bug'] } }

-      it 'sets @no_filters_set to false' do
-        expect(assigns[:no_filters_set]).to eq(false)
-      end
+      it_behaves_like 'filters are set'
+    end
+
+    context 'search' do
+      let(:params) { { search: 'test' } }
+
+      it_behaves_like 'filters are set'
    end
  end
 end