From d98445d1fe80bc1d36ef9733ddf375c77897214c Mon Sep 17 00:00:00 2001 From: Romit Choudhary Date: Thu, 23 Sep 2021 14:01:09 +0200 Subject: [PATCH] Fixes #3755 - User with user_id 1 is show in admin interface (which should not) --- app/models/user/search.rb | 5 ++++- spec/requests/user_spec.rb | 12 ++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/app/models/user/search.rb b/app/models/user/search.rb index dd4f61081..f9ad24a43 100644 --- a/app/models/user/search.rb +++ b/app/models/user/search.rb @@ -174,10 +174,13 @@ returns if is_query statement = statement.where( - '(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?) AND users.id != 1', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%" + '(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?)', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%" ) end + # Fixes #3755 - User with user_id 1 is show in admin interface (which should not) + statement = statement.where('users.id != 1') + statement.order(Arel.sql(order_sql)) .offset(offset) .limit(limit) diff --git a/spec/requests/user_spec.rb b/spec/requests/user_spec.rb index 74372088b..3d807086c 100644 --- a/spec/requests/user_spec.rb +++ b/spec/requests/user_spec.rb @@ -1421,6 +1421,12 @@ RSpec.describe 'User', type: :request do make_request(query: '9U7Z', group_ids: { 999 => 'read' }) expect(json_response.count).to eq(0) end + + it 'does not list user with id 1' do + make_request(query: '') + not_in_response = json_response.none? { |item| item['id'] == 1 } + expect(not_in_response).to be(true) + end end describe 'with searchindex', searchindex: true do @@ -1449,6 +1455,12 @@ RSpec.describe 'User', type: :request do make_request(query: '9U7Z', group_ids: { 999 => 'read' }) expect(json_response.count).to eq(0) end + + it 'does not list user with id 1' do + make_request(query: '') + not_in_response = json_response.none? { |item| item['id'] == 1 } + expect(not_in_response).to be(true) + end end end