From 9ddd7f48895f508539d591aeebde450a86987024 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Mon, 15 Aug 2022 22:39:41 +0200
Subject: [PATCH] fix: only list all users when allowed

---
 pkg/models/users_list_test.go |  7 +++++++
 pkg/user/user_test.go         | 25 +++++++++++++++++++++++++
 pkg/user/users_list.go        | 30 +++++++++++++++++++-----------
 3 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/pkg/models/users_list_test.go b/pkg/models/users_list_test.go
index 1a48c9de4e8..a9835607175 100644
--- a/pkg/models/users_list_test.go
+++ b/pkg/models/users_list_test.go
@@ -214,6 +214,13 @@ func TestListUsersFromList(t *testing.T) {
 				testuser13, // Shared Via NamespaceUser admin
 			},
 		},
+		{
+			name: "search for user1",
+			args: args{l: &List{ID: 19, OwnerID: 7}, search: "user1"},
+			wantUsers: []*user.User{
+				testuser1, // Shared Via Team readonly
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/user/user_test.go b/pkg/user/user_test.go
index 82820085a01..785e94544b6 100644
--- a/pkg/user/user_test.go
+++ b/pkg/user/user_test.go
@@ -455,6 +455,31 @@ func TestListUsers(t *testing.T) {
 			"discoverable_by_email": true,
 		}, false)
 	})
+	t.Run("discoverable by exact username", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		all, err := ListUsers(s, "user7", nil)
+		assert.NoError(t, err)
+		assert.Len(t, all, 1)
+		assert.Equal(t, int64(7), all[0].ID)
+		db.AssertExists(t, "users", map[string]interface{}{
+			"username": "user7",
+		}, false)
+	})
+	t.Run("not discoverable by partial username", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		all, err := ListUsers(s, "user", nil)
+		assert.NoError(t, err)
+		assert.Len(t, all, 0)
+		db.AssertExists(t, "users", map[string]interface{}{
+			"username": "user7",
+		}, false)
+	})
 }
 
 func TestUserPasswordReset(t *testing.T) {
diff --git a/pkg/user/users_list.go b/pkg/user/users_list.go
index e24501edd2e..b2dac2c9323 100644
--- a/pkg/user/users_list.go
+++ b/pkg/user/users_list.go
@@ -41,17 +41,25 @@ func ListUsers(s *xorm.Session, search string, opts *ListUserOpts) (users []*Use
 		return
 	}
 
-	cond := builder.Or(
-		builder.Like{"username", "%" + search + "%"},
-		builder.And(
-			builder.Eq{"email": search},
-			builder.Eq{"discoverable_by_email": true},
-		),
-		builder.And(
-			builder.Like{"name", "%" + search + "%"},
-			builder.Eq{"discoverable_by_name": true},
-		),
-	)
+	conds := []builder.Cond{}
+
+	if search != "" {
+		for _, queryPart := range strings.Split(search, ",") {
+			conds = append(conds,
+				builder.Eq{"username": queryPart},
+				builder.And(
+					builder.Eq{"email": queryPart},
+					builder.Eq{"discoverable_by_email": true},
+				),
+				builder.And(
+					builder.Like{"name", "%" + queryPart + "%"},
+					builder.Eq{"discoverable_by_name": true},
+				),
+			)
+		}
+	}
+
+	cond := builder.Or(conds...)
 
 	if opts.AdditionalCond != nil {
 		cond = builder.And(