Don't show suspended users in autocomplete fields unless you are staff

2024-11-26 11:13:38 +08:00 · 2014-05-13 11:44:06 -04:00 · 2014-05-13 11:44:06 -04:00 · 6e0eb89697
commit 6e0eb89697
parent 2d8a4ee91f
3 changed files with 35 additions and 19 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -295,7 +295,7 @@ class UsersController < ApplicationController
    topic_id = params[:topic_id]
    topic_id = topic_id.to_i if topic_id

-    results = UserSearch.new(term, topic_id).search
+    results = UserSearch.new(term, topic_id: topic_id, searching_user: current_user).search

    user_fields = [:username, :use_uploaded_avatar, :upload_avatar_template, :uploaded_avatar_id]
    user_fields << :name if SiteSetting.enable_names?
--- a/app/models/user_search.rb
+++ b/app/models/user_search.rb
@ -1,10 +1,11 @@
 # Searches for a user by username or full text or name (if enabled in SiteSettings)
 class UserSearch

-  def initialize(term, topic_id=nil)
+  def initialize(term, opts={})
    @term = term
    @term_like = "#{term.downcase}%"
-    @topic_id = topic_id
+    @topic_id = opts[:topic_id]
+    @searching_user = opts[:searching_user]
  end

  def search
@ -31,6 +32,10 @@ class UserSearch
                   .order("CASE WHEN s.user_id IS NULL THEN 0 ELSE 1 END DESC")
    end

+    unless @searching_user && @searching_user.staff?
+      users = users.not_suspended
+    end
+
    users.order("CASE WHEN last_seen_at IS NULL THEN 0 ELSE 1 END DESC, last_seen_at DESC, username ASC")
         .limit(20)
  end
--- a/spec/models/user_search_spec.rb
+++ b/spec/models/user_search_spec.rb
@ -2,15 +2,17 @@ require 'spec_helper'

 describe UserSearch do

-  let(:topic)  { Fabricate :topic }
-  let(:topic2) { Fabricate :topic }
-  let(:topic3) { Fabricate :topic }
-  let(:user1)  { Fabricate :user, username: "mrblonde", name: "Michael Madsen" }
-  let(:user2)  { Fabricate :user, username: "mrblue",   name: "Eddie Bunker" }
-  let(:user3)  { Fabricate :user, username: "mrorange", name: "Tim Roth" }
-  let(:user4)  { Fabricate :user, username: "mrpink",   name: "Steve Buscemi" }
-  let(:user5)  { Fabricate :user, username: "mrbrown",  name: "Quentin Tarantino" }
-  let(:user6)  { Fabricate :user, username: "mrwhite",  name: "Harvey Keitel" }
+  let(:topic)     { Fabricate :topic }
+  let(:topic2)    { Fabricate :topic }
+  let(:topic3)    { Fabricate :topic }
+  let(:user1)     { Fabricate :user, username: "mrblonde", name: "Michael Madsen" }
+  let(:user2)     { Fabricate :user, username: "mrblue",   name: "Eddie Bunker" }
+  let(:user3)     { Fabricate :user, username: "mrorange", name: "Tim Roth" }
+  let(:user4)     { Fabricate :user, username: "mrpink",   name: "Steve Buscemi" }
+  let(:user5)     { Fabricate :user, username: "mrbrown",  name: "Quentin Tarantino" }
+  let(:user6)     { Fabricate :user, username: "mrwhite",  name: "Harvey Keitel" }
+  let(:admin)     { Fabricate :admin, username: "theadmin" }
+  let(:moderator) { Fabricate :moderator, username: "themod" }

  before do
    Fabricate :post, user: user1, topic: topic
@ -19,6 +21,7 @@ describe UserSearch do
    Fabricate :post, user: user4, topic: topic
    Fabricate :post, user: user5, topic: topic3
    Fabricate :post, user: user6, topic: topic
+    user6.update_attributes(suspended_at: 1.day.ago, suspended_till: 1.year.from_now)
  end

  def search_for(*args)
@ -49,28 +52,36 @@ describe UserSearch do
    results.first.should == user4

    # substrings
+    # only staff members see suspended users in results
    results = search_for("mr")
-    results.size.should == 6
+    results.size.should == 5
+    results.should_not include(user6)
+    search_for("mr", searching_user: user1).size.should == 5

-    results = search_for("mrb")
+    results = search_for("mr", searching_user: admin)
+    results.size.should == 6
+    results.should include(user6)
+    search_for("mr", searching_user: moderator).size.should == 6
+
+    results = search_for("mrb", searching_user: admin)
    results.size.should == 3


-    results = search_for("MR")
+    results = search_for("MR", searching_user: admin)
    results.size.should == 6

-    results = search_for("MRB")
+    results = search_for("MRB", searching_user: admin)
    results.size.should == 3

    # topic priority
-    results = search_for("mrb", topic.id)
+    results = search_for("mrb", topic_id: topic.id)
    results.first.should == user1


-    results = search_for("mrb", topic2.id)
+    results = search_for("mrb", topic_id: topic2.id)
    results.first.should == user2

-    results = search_for("mrb", topic3.id)
+    results = search_for("mrb", topic_id: topic3.id)
    results.first.should == user5

    # When searching by name is enabled, it returns the record