From f336c7ae539e53b6c1d9c2fcd496740dd6ee77be Mon Sep 17 00:00:00 2001
From: Benjamin Gamard <b.gamard@sismics.com>
Date: Fri, 3 May 2019 13:27:23 +0200
Subject: [PATCH] Closes #313: remove administrators from ACL targets search

---
 .../sismics/docs/rest/resource/AclResource.java    | 14 ++++++++++----
 .../com/sismics/docs/rest/TestAclResource.java     |  4 ++--
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java b/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java
index 6e327553..60ebebe9 100644
--- a/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java
+++ b/docs-web/src/main/java/com/sismics/docs/rest/resource/AclResource.java
@@ -228,8 +228,11 @@ public class AclResource extends BaseResource {
         SortCriteria sortCriteria = new SortCriteria(1, true);
         List<UserDto> userDtoList = userDao.findByCriteria(new UserCriteria().setSearch(search), sortCriteria);
         for (UserDto userDto : userDtoList) {
-            users.add(Json.createObjectBuilder()
-                    .add("name", userDto.getUsername()));
+            // No need to add users who will skip ACL check anyways
+            if (!SecurityUtil.skipAclCheck(Lists.newArrayList(userDto.getId()))) {
+                users.add(Json.createObjectBuilder()
+                        .add("name", userDto.getUsername()));
+            }
         }
         
         // Search groups
@@ -237,8 +240,11 @@ public class AclResource extends BaseResource {
         JsonArrayBuilder groups = Json.createArrayBuilder();
         List<GroupDto> groupDtoList = groupDao.findByCriteria(new GroupCriteria().setSearch(search), sortCriteria);
         for (GroupDto groupDto : groupDtoList) {
-            groups.add(Json.createObjectBuilder()
-                    .add("name", groupDto.getName()));
+            // No need to add users who will skip ACL check anyways
+            if (!SecurityUtil.skipAclCheck(Lists.newArrayList(groupDto.getId()))) {
+                groups.add(Json.createObjectBuilder()
+                        .add("name", groupDto.getName()));
+            }
         }
         
         JsonObjectBuilder response = Json.createObjectBuilder()
diff --git a/docs-web/src/test/java/com/sismics/docs/rest/TestAclResource.java b/docs-web/src/test/java/com/sismics/docs/rest/TestAclResource.java
index d3402d6f..8365780d 100644
--- a/docs-web/src/test/java/com/sismics/docs/rest/TestAclResource.java
+++ b/docs-web/src/test/java/com/sismics/docs/rest/TestAclResource.java
@@ -263,9 +263,9 @@ public class TestAclResource extends BaseJerseyTest {
                 .cookie(TokenBasedSecurityFilter.COOKIE_NAME, acl1Token)
                 .get(JsonObject.class);
         users = json.getJsonArray("users");
-        Assert.assertEquals(1, users.size());
+        Assert.assertEquals(0, users.size());
         groups = json.getJsonArray("groups");
-        Assert.assertEquals(1, groups.size());
+        Assert.assertEquals(0, groups.size());
     }
 
     @Test