Fixes #38656 - Make autocompletion honor permissions

Author: adamruzicka

app/controllers/katello/concerns/filtered_auto_complete_search.rb

@@ -8,7 +8,8 @@ module FilteredAutoCompleteSearch
       def auto_complete_search
         begin
           options = resource_class.respond_to?(:completer_scope_options) ? resource_class.completer_scope_options(params[:search]) : {}
-          items = resource_class.where(:id => self.index_relation).complete_for(params[:search], options)
+          permission = resource_class.find_permission_name(:view)
+          items = resource_class.authorized(permission).where(:id => self.index_relation).complete_for(params[:search], options)
           items = filter_autocomplete_items(items)
           items = items.map do |item|
             category = ['and', 'or', 'not', 'has'].include?(item.to_s.sub(/^.*\s+/, '')) ? _('Operators') : ''

test/controllers/api/v2/concerns/filtered_auto_complete_search_test.rb

@@ -0,0 +1,24 @@
+require 'katello_test_helper'
+
+class AutoCompleteSearchTest < ActionController::TestCase
+  # Chosen at random as a representative of the controllers supporting Katello's autocompletion
+  tests ::Katello::Api::V2::ProductsController
+
+  def setup
+    setup_controller_defaults_api
+  end
+
+  test "only suggests options the user is allowed to see" do
+    user = users(:one)
+    org = user.organizations.first
+    product1 = FactoryBot.create(:katello_product, :with_provider, organization_id: org.id)
+    _product2 = FactoryBot.create(:katello_product, :with_provider, organization_id: org.id)
+    setup_user('view', 'products', "name = \"#{product1.name}\"")
+
+    get :auto_complete_search, session: set_session_user(:one), params: { search: "name =", organization_id: org.id }
+    assert_predicate response, :successful?
+    suggestions = ActiveSupport::JSON.decode(response.body)
+    assert_equal 1, suggestions.length
+    assert_equal suggestions.first['part'], "name = \"#{product1.name}\""
+  end
+end