Make sure the user only sees groups he's allowed to see

7a3ba8e9 · Bob Van Landuyt · b92e7103 · 7a3ba8e9 · 7a3ba8e9
Commit 7a3ba8e9 authored 7 years ago by Bob Van Landuyt
--- a/app/finders/group_descendants_finder.rb
+++ b/app/finders/group_descendants_finder.rb
@@ -73,13 +73,23 @@ class GroupDescendantsFinder
                     all_available: true).execute
  end
  
-  def all_descendant_groups
+  def all_visible_descendant_groups
+    groups_table = Group.arel_table
+    visible_for_user = if current_user
+                         groups_table[:id].in(
+                           Arel::Nodes::SqlLiteral.new(GroupsFinder.new(current_user, all_available: true).execute.select(:id).to_sql)
+                         )
+                       else
+                         groups_table[:visibility_level].eq(Gitlab::VisibilityLevel::PUBLIC)
+                       end
+
    Gitlab::GroupHierarchy.new(Group.where(id: parent_group))
      .base_and_descendants
+      .where(visible_for_user)
  end
  
  def subgroups_matching_filter
-    all_descendant_groups
+    all_visible_descendant_groups
      .where.not(id: parent_group)
      .search(params[:filter])
  end

--- a/spec/finders/group_descendants_finder_spec.rb
+++ b/spec/finders/group_descendants_finder_spec.rb
@@ -58,6 +58,19 @@ describe GroupDescendantsFinder do
        expect(found_group.preloaded_member_count).to eq(1)
      end
  
+      it 'does not include subgroups the user does not have access to' do
+        subgroup.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+        public_subgroup = create(:group, :public, parent: group, path: 'public-group')
+        other_subgroup = create(:group, :private, parent: group, path: 'visible-private-group')
+        other_user = create(:user)
+        other_subgroup.add_developer(other_user)
+
+        finder = described_class.new(current_user: other_user, parent_group: group)
+
+        expect(finder.execute).to contain_exactly(public_subgroup, other_subgroup)
+      end
+
      context 'with a filter' do
        let(:params) { { filter: 'test' } }
  
@@ -68,6 +81,21 @@ describe GroupDescendantsFinder do
          expect(finder.execute).to contain_exactly(matching_subgroup, matching_project)
        end
  
+        it 'does not include subgroups the user does not have access to' do
+          _invisible_subgroup = create(:group, :private, parent: group, name: 'test1')
+          other_subgroup = create(:group, :private, parent: group, name: 'test2')
+          public_subgroup = create(:group, :public, parent: group, name: 'test3')
+          other_subsubgroup = create(:group, :private, parent: other_subgroup, name: 'test4')
+          other_user = create(:user)
+          other_subgroup.add_developer(other_user)
+
+          finder = described_class.new(current_user: other_user,
+                                       parent_group: group,
+                                       params: params)
+
+          expect(finder.execute).to contain_exactly(other_subgroup, public_subgroup, other_subsubgroup)
+        end
+
        context 'with matching children' do
          it 'includes a group that has a subgroup matching the query and its parent' do
            matching_subgroup = create(:group, name: 'testgroup', parent: subgroup)