FIX: Prevent field name conflicts when using the `groups_for_users_search` modifier (#22446)

2023-07-05 19:58:21 -03:00 · 2023-07-05 19:58:21 -03:00 · 4f2299949a
parent 972e0f74ff
commit 4f2299949a
2 changed files with 35 additions and 9 deletions
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -275,12 +275,12 @@ class Group < ActiveRecord::Base
  scope :messageable,
        lambda { |user|
          where(
-            "messageable_level in (:levels) OR
+            "groups.messageable_level in (:levels) OR
          (
-            messageable_level = #{ALIAS_LEVELS[:members_mods_and_admins]} AND id in (
+            groups.messageable_level = #{ALIAS_LEVELS[:members_mods_and_admins]} AND groups.id in (
            SELECT group_id FROM group_users WHERE user_id = :user_id)
          ) OR (
-            messageable_level = #{ALIAS_LEVELS[:owners_mods_and_admins]} AND id in (
+            groups.messageable_level = #{ALIAS_LEVELS[:owners_mods_and_admins]} AND groups.id in (
            SELECT group_id FROM group_users WHERE user_id = :user_id AND owner IS TRUE)
          )",
            levels: alias_levels(user),
@ -290,14 +290,14 @@ class Group < ActiveRecord::Base

  def self.mentionable_sql_clause(include_public: true)
    clause = +<<~SQL
-      mentionable_level in (:levels)
+      groups.mentionable_level in (:levels)
      OR (
-        mentionable_level = #{ALIAS_LEVELS[:members_mods_and_admins]}
-        AND id in (
+        groups.mentionable_level = #{ALIAS_LEVELS[:members_mods_and_admins]}
+        AND groups.id in (
          SELECT group_id FROM group_users WHERE user_id = :user_id)
      ) OR (
-        mentionable_level = #{ALIAS_LEVELS[:owners_mods_and_admins]}
-        AND id in (
+        groups.mentionable_level = #{ALIAS_LEVELS[:owners_mods_and_admins]}
+        AND groups.id in (
          SELECT group_id FROM group_users WHERE user_id = :user_id AND owner IS TRUE)
      )
      SQL
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -906,7 +906,7 @@ RSpec.describe UsersController do
          SiteSetting.send_welcome_message = true
          SiteSetting.must_approve_users = true

-          #Sidekiq::Client.expects(:enqueue).never
+          # Sidekiq::Client.expects(:enqueue).never
          post "/u.json",
               params: post_user_params.merge(approved: true, active: true),
               headers: {
@ -4997,6 +4997,31 @@ RSpec.describe UsersController do
          DiscoursePluginRegistry.reset!
        end

+        it "works when the modifier to the groups filter introduces a join with a conflicting name fields like `id` for example" do
+          %i[
+            include_groups
+            include_mentionable_groups
+            include_messageable_groups
+          ].each do |param_name|
+            get "/u/search/users.json", params: { param_name => "true", :term => "a" }
+
+            expect(response.status).to eq(200)
+
+            Plugin::Instance
+              .new
+              .register_modifier(:groups_for_users_search) do |groups|
+                # a join with a conflicting name field (id) is introduced here
+                # we expect the query to work correctly
+                groups.left_joins(:users).where(users: { admin: true })
+              end
+
+            get "/u/search/users.json", params: { param_name => "true", :term => "a" }
+            expect(response.status).to eq(200) # the conflict would cause a 500 error
+
+            DiscoursePluginRegistry.reset!
+          end
+        end
+
        it "doesn't search for groups" do
          get "/u/search/users.json",
              params: {
@ -5719,6 +5744,7 @@ RSpec.describe UsersController do
          Class
            .new(Auth::Authenticator) do
              attr_accessor :can_revoke
+
              def name
                "testprovider"
              end