Update list user projects API for admins

bec88a18 · Firdaws Farukh · Terri Chu · 31c9e3cb · bec88a18 · bec88a18
Commit bec88a18 authored Nov 22, 2021 by Firdaws Farukh Committed by Terri Chu Nov 22, 2021
4 changed files
--- a/app/finders/personal_projects_finder.rb
+++ b/app/finders/personal_projects_finder.rb
@@ -28,6 +28,7 @@ class PersonalProjectsFinder < UnionFinder
  private

  def all_projects(current_user)
+    return [@user.personal_projects] if current_user && current_user.can_read_all_resources?
    return [projects_with_min_access_level(current_user)] if current_user && min_access_level?

    projects = []

--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -369,6 +369,9 @@ Keyset pagination supports only `order_by=id`. Other sorting options aren't avai
 Get a list of visible projects owned by the given user. When accessed without
 authentication, only public projects are returned.

+NOTE:
+Only the projects in the user's (specified in `user_id`) namespace are returned. Projects owned by the user in any group or subgroups are not returned.
+
 This endpoint supports [keyset pagination](index.md#keyset-based-pagination)
 for selected `order_by` options.


--- a/spec/finders/personal_projects_finder_spec.rb
+++ b/spec/finders/personal_projects_finder_spec.rb
@@ -3,14 +3,16 @@
 require 'spec_helper'

 RSpec.describe PersonalProjectsFinder do
-  let(:source_user)     { create(:user) }
-  let(:current_user)    { create(:user) }
-  let(:finder)          { described_class.new(source_user) }
+  let_it_be(:source_user)     { create(:user) }
+  let_it_be(:current_user)    { create(:user) }
+  let_it_be(:admin)           { create(:admin) }
+
+  let(:finder)                { described_class.new(source_user) }
  let!(:public_project) do
-    create(:project, :public, namespace: source_user.namespace, updated_at: 1.hour.ago)
+    create(:project, :public, namespace: source_user.namespace, updated_at: 1.hour.ago, path: 'pblc')
  end

-  let!(:private_project) do
+  let!(:private_project_shared) do
    create(:project, :private, namespace: source_user.namespace, updated_at: 3.hours.ago, path: 'mepmep')
  end

@@ -18,8 +20,12 @@ RSpec.describe PersonalProjectsFinder do
    create(:project, :internal, namespace: source_user.namespace, updated_at: 2.hours.ago, path: 'C')
  end

+  let!(:private_project_self) do
+    create(:project, :private, namespace: source_user.namespace, updated_at: 3.hours.ago, path: 'D')
+  end
+
  before do
-    private_project.add_developer(current_user)
+    private_project_shared.add_developer(current_user)
  end

  describe 'without a current user' do
@@ -29,18 +35,26 @@ RSpec.describe PersonalProjectsFinder do
  end

  describe 'with a current user' do
-    subject { finder.execute(current_user) }
-
    context 'normal user' do
-      it { is_expected.to eq([public_project, internal_project, private_project]) }
+      subject { finder.execute(current_user) }
+
+      it { is_expected.to match_array([public_project, internal_project, private_project_shared]) }
    end

    context 'external' do
+      subject { finder.execute(current_user) }
+
      before do
        current_user.update!(external: true)
      end

-      it { is_expected.to eq([public_project, private_project]) }
+      it { is_expected.to match_array([public_project, private_project_shared]) }
+    end
+
+    context 'and searching with an admin user', :enable_admin_mode do
+      subject { finder.execute(admin) }
+
+      it { is_expected.to match_array([public_project, internal_project, private_project_self, private_project_shared]) }
    end
  end
 end
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1504,6 +1504,20 @@ RSpec.describe API::Projects do
      expect(json_response.map { |project| project['id'] }).to contain_exactly(private_project1.id)
    end

+    context 'and using an admin to search', :enable_admin_mode, :aggregate_errors do
+      it 'returns users projects when authenticated as admin' do
+        private_project1 = create(:project, :private, name: 'private_project1', creator_id: user4.id, namespace: user4.namespace)
+
+        # min_access_level does not make any difference when admins search for a user's projects
+        get api("/users/#{user4.id}/projects/", admin), params: { min_access_level: 30 }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.map { |project| project['id'] }).to contain_exactly(project4.id, private_project1.id, public_project.id)
+      end
+    end
+
    context 'and using the programming language filter' do
      include_context 'with language detection'