From 0b67d7a0fe79c05681c6e541105350d94fff6931 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Fri, 10 Jul 2015 17:36:24 -0700
Subject: Fix user autocomplete for unauthenticated users accessing public
 projects

Closes #1955
---
 CHANGELOG                                        |  1 +
 app/controllers/autocomplete_controller.rb       |  6 +++++-
 spec/controllers/autocomplete_controller_spec.rb | 24 ++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5daee9830ed..8524862da5a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.13.0 (unreleased)
+  - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
   - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
   - Add branch switching support for graphs (Daniel Gerhardt)
   - Fix external issue tracker hook/test for HTTPS URLs (Daniel Gerhardt)
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb
index 11af9895261..8b12643bb97 100644
--- a/app/controllers/autocomplete_controller.rb
+++ b/app/controllers/autocomplete_controller.rb
@@ -1,4 +1,6 @@
 class AutocompleteController < ApplicationController
+  skip_before_action :authenticate_user!, only: [:users]
+
   def users
     @users =
       if params[:project_id].present?
@@ -13,8 +15,10 @@ class AutocompleteController < ApplicationController
         if can?(current_user, :read_group, group)
           group.users
         end
-      else
+      elsif current_user
         User.all
+      else
+        User.none
       end
 
     @users = @users.search(params[:search]) if params[:search].present?
diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb
index 9ad9cb41cc1..9be8d0333ad 100644
--- a/spec/controllers/autocomplete_controller_spec.rb
+++ b/spec/controllers/autocomplete_controller_spec.rb
@@ -48,4 +48,28 @@ describe AutocompleteController do
     it { expect(body).to be_kind_of(Array) }
     it { expect(body.size).to eq User.count }
   end
+
+  context 'unauthenticated user' do
+    let(:project) { create(:project, :public) }
+    let(:body) { JSON.parse(response.body) }
+
+    describe 'GET #users with public project' do
+      before do
+        project.team << [user, :guest]
+        get(:users, project_id: project.id)
+      end
+
+      it { expect(body).to be_kind_of(Array) }
+      it { expect(body.size).to eq 1 }
+    end
+
+    describe 'GET #users with no project' do
+      before do
+        get(:users)
+      end
+
+      it { expect(body).to be_kind_of(Array) }
+      it { expect(body.size).to eq 0 }
+    end
+  end
 end
-- 
cgit v1.2.1