diff --git a/pkg/webtests/integrations.go b/pkg/webtests/integrations.go index 9187db6f1..b00f3d8a1 100644 --- a/pkg/webtests/integrations.go +++ b/pkg/webtests/integrations.go @@ -53,6 +53,13 @@ var ( Email: "user1@example.com", Issuer: "local", } + testuser10 = user.User{ + ID: 10, + Username: "user10", + Password: "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.", + Email: "user10@example.com", + Issuer: "local", + } testuser15 = user.User{ ID: 15, Username: "user15", diff --git a/pkg/webtests/user_project_test.go b/pkg/webtests/user_project_test.go index c8843d10d..f249899b2 100644 --- a/pkg/webtests/user_project_test.go +++ b/pkg/webtests/user_project_test.go @@ -41,4 +41,46 @@ func TestUserProject(t *testing.T) { assert.NotContains(t, rec.Body.String(), `user4`) assert.NotContains(t, rec.Body.String(), `user5`) }) + t.Run("external team member discoverable by name", func(t *testing.T) { + // User 10 searches for "Some one else" (user 11's name). + // User 11 has discoverable_by_name=false, but they share external team 14. + // Should find user 11. + rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser10, "", map[string][]string{"s": {"Some one else"}}, nil) + require.NoError(t, err) + assert.Contains(t, rec.Body.String(), `user11`) + }) + t.Run("external team member discoverable by email", func(t *testing.T) { + // User 10 searches for user 11's email. + // User 11 has discoverable_by_email=false, but they share external team 14. + // Should find user 11. + rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser10, "", map[string][]string{"s": {"user11@example.com"}}, nil) + require.NoError(t, err) + assert.Contains(t, rec.Body.String(), `user11`) + }) + t.Run("non-external-team user cannot discover by name", func(t *testing.T) { + // User 1 searches for "Some one else" (user 11's name). + // User 1 does NOT share an external team with user 11. + // User 11 has discoverable_by_name=false. + // Should NOT find user 11. + rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"Some one else"}}, nil) + require.NoError(t, err) + assert.NotContains(t, rec.Body.String(), `user11`) + }) + t.Run("non-external-team user cannot discover by email", func(t *testing.T) { + // User 1 searches for user 11's email. + // User 1 does NOT share an external team with user 11. + // User 11 has discoverable_by_email=false. + // Should NOT find user 11. + rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"user11@example.com"}}, nil) + require.NoError(t, err) + assert.NotContains(t, rec.Body.String(), `user11`) + }) + t.Run("regular team does not bypass discoverability", func(t *testing.T) { + // User 1 and user 2 share team 1 (a regular team, no external_id). + // User 2 has discoverable_by_name=false and discoverable_by_email=false. + // Searching by email should NOT find user 2 (regular team doesn't bypass). + rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"user2@example.com"}}, nil) + require.NoError(t, err) + assert.NotContains(t, rec.Body.String(), `user2`) + }) }