From f4f0e1b8bdafcfdcc3f9749dd1ce779fef0a8072 Mon Sep 17 00:00:00 2001
From: Jesse Hall <jessehall3@gmail.com>
Date: Wed, 23 Oct 2019 08:23:19 +0000
Subject: [PATCH] Fix for #33792, users can filter by bad author name and
 search term in group issues and MRs

---
 app/finders/issuable_finder.rb             |  1 +
 spec/finders/issues_finder_spec.rb         | 14 ++++++++++++++
 spec/finders/merge_requests_finder_spec.rb | 12 ++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 477093ddadfb9..0005206970b9b 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -483,6 +483,7 @@ def by_project(items)
   # rubocop: disable CodeReuse/ActiveRecord
   def by_search(items)
     return items unless search
+    return items if items.is_a?(ActiveRecord::NullRelation)
 
     if use_cte_for_search?
       cte = Gitlab::SQL::RecursiveCTE.new(klass.table_name)
diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb
index c27ce263bf0ee..6c10a61727963 100644
--- a/spec/finders/issues_finder_spec.rb
+++ b/spec/finders/issues_finder_spec.rb
@@ -163,6 +163,20 @@
         end
       end
 
+      context 'filtering by nonexistent author ID and issue term using CTE for search' do
+        let(:params) do
+          {
+            author_id: 'does-not-exist',
+            search: 'git',
+            attempt_group_search_optimizations: true
+          }
+        end
+
+        it 'returns no results' do
+          expect(issues).to be_empty
+        end
+      end
+
       context 'filtering by milestone' do
         let(:params) { { milestone_title: milestone.title } }
 
diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb
index a396284f1e940..bc85a62211939 100644
--- a/spec/finders/merge_requests_finder_spec.rb
+++ b/spec/finders/merge_requests_finder_spec.rb
@@ -23,6 +23,18 @@
         expect(merge_requests).to contain_exactly(merge_request1)
       end
 
+      it 'filters by nonexistent author ID and MR term using CTE for search' do
+        params = {
+          author_id: 'does-not-exist',
+          search: 'git',
+          attempt_group_search_optimizations: true
+        }
+
+        merge_requests = described_class.new(user, params).execute
+
+        expect(merge_requests).to be_empty
+      end
+
       it 'filters by projects' do
         params = { projects: [project2.id, project3.id] }
 
-- 
GitLab