Don't show suspended users in autocomplete fields unless you are staff

This commit is contained in:
Neil Lalonde 2014-05-13 11:44:06 -04:00
parent 2d8a4ee91f
commit 6e0eb89697
3 changed files with 35 additions and 19 deletions

View File

@ -295,7 +295,7 @@ class UsersController < ApplicationController
topic_id = params[:topic_id] topic_id = params[:topic_id]
topic_id = topic_id.to_i if topic_id topic_id = topic_id.to_i if topic_id
results = UserSearch.new(term, topic_id).search results = UserSearch.new(term, topic_id: topic_id, searching_user: current_user).search
user_fields = [:username, :use_uploaded_avatar, :upload_avatar_template, :uploaded_avatar_id] user_fields = [:username, :use_uploaded_avatar, :upload_avatar_template, :uploaded_avatar_id]
user_fields << :name if SiteSetting.enable_names? user_fields << :name if SiteSetting.enable_names?

View File

@ -1,10 +1,11 @@
# Searches for a user by username or full text or name (if enabled in SiteSettings) # Searches for a user by username or full text or name (if enabled in SiteSettings)
class UserSearch class UserSearch
def initialize(term, topic_id=nil) def initialize(term, opts={})
@term = term @term = term
@term_like = "#{term.downcase}%" @term_like = "#{term.downcase}%"
@topic_id = topic_id @topic_id = opts[:topic_id]
@searching_user = opts[:searching_user]
end end
def search def search
@ -31,6 +32,10 @@ class UserSearch
.order("CASE WHEN s.user_id IS NULL THEN 0 ELSE 1 END DESC") .order("CASE WHEN s.user_id IS NULL THEN 0 ELSE 1 END DESC")
end end
unless @searching_user && @searching_user.staff?
users = users.not_suspended
end
users.order("CASE WHEN last_seen_at IS NULL THEN 0 ELSE 1 END DESC, last_seen_at DESC, username ASC") users.order("CASE WHEN last_seen_at IS NULL THEN 0 ELSE 1 END DESC, last_seen_at DESC, username ASC")
.limit(20) .limit(20)
end end

View File

@ -2,15 +2,17 @@ require 'spec_helper'
describe UserSearch do describe UserSearch do
let(:topic) { Fabricate :topic } let(:topic) { Fabricate :topic }
let(:topic2) { Fabricate :topic } let(:topic2) { Fabricate :topic }
let(:topic3) { Fabricate :topic } let(:topic3) { Fabricate :topic }
let(:user1) { Fabricate :user, username: "mrblonde", name: "Michael Madsen" } let(:user1) { Fabricate :user, username: "mrblonde", name: "Michael Madsen" }
let(:user2) { Fabricate :user, username: "mrblue", name: "Eddie Bunker" } let(:user2) { Fabricate :user, username: "mrblue", name: "Eddie Bunker" }
let(:user3) { Fabricate :user, username: "mrorange", name: "Tim Roth" } let(:user3) { Fabricate :user, username: "mrorange", name: "Tim Roth" }
let(:user4) { Fabricate :user, username: "mrpink", name: "Steve Buscemi" } let(:user4) { Fabricate :user, username: "mrpink", name: "Steve Buscemi" }
let(:user5) { Fabricate :user, username: "mrbrown", name: "Quentin Tarantino" } let(:user5) { Fabricate :user, username: "mrbrown", name: "Quentin Tarantino" }
let(:user6) { Fabricate :user, username: "mrwhite", name: "Harvey Keitel" } let(:user6) { Fabricate :user, username: "mrwhite", name: "Harvey Keitel" }
let(:admin) { Fabricate :admin, username: "theadmin" }
let(:moderator) { Fabricate :moderator, username: "themod" }
before do before do
Fabricate :post, user: user1, topic: topic Fabricate :post, user: user1, topic: topic
@ -19,6 +21,7 @@ describe UserSearch do
Fabricate :post, user: user4, topic: topic Fabricate :post, user: user4, topic: topic
Fabricate :post, user: user5, topic: topic3 Fabricate :post, user: user5, topic: topic3
Fabricate :post, user: user6, topic: topic Fabricate :post, user: user6, topic: topic
user6.update_attributes(suspended_at: 1.day.ago, suspended_till: 1.year.from_now)
end end
def search_for(*args) def search_for(*args)
@ -49,28 +52,36 @@ describe UserSearch do
results.first.should == user4 results.first.should == user4
# substrings # substrings
# only staff members see suspended users in results
results = search_for("mr") results = search_for("mr")
results.size.should == 6 results.size.should == 5
results.should_not include(user6)
search_for("mr", searching_user: user1).size.should == 5
results = search_for("mrb") results = search_for("mr", searching_user: admin)
results.size.should == 6
results.should include(user6)
search_for("mr", searching_user: moderator).size.should == 6
results = search_for("mrb", searching_user: admin)
results.size.should == 3 results.size.should == 3
results = search_for("MR") results = search_for("MR", searching_user: admin)
results.size.should == 6 results.size.should == 6
results = search_for("MRB") results = search_for("MRB", searching_user: admin)
results.size.should == 3 results.size.should == 3
# topic priority # topic priority
results = search_for("mrb", topic.id) results = search_for("mrb", topic_id: topic.id)
results.first.should == user1 results.first.should == user1
results = search_for("mrb", topic2.id) results = search_for("mrb", topic_id: topic2.id)
results.first.should == user2 results.first.should == user2
results = search_for("mrb", topic3.id) results = search_for("mrb", topic_id: topic3.id)
results.first.should == user5 results.first.should == user5
# When searching by name is enabled, it returns the record # When searching by name is enabled, it returns the record