diff options
| author | Felipe Artur <felipefac@gmail.com> | 2016-03-24 12:55:04 -0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2016-04-18 11:11:36 -0300 |
| commit | b05f0a48584ea45cc89a8efaafd8e54642b8497c (patch) | |
| tree | b332d81e44d0afb990898d88f1dae30cea42fb1a | |
| parent | 5ae4fd2181e81f6e75a9d4021fc7d0c4749139ef (diff) | |
| download | gitlab-ce-b05f0a48584ea45cc89a8efaafd8e54642b8497c.tar.gz | |
Restrict user profiles based on restricted visibility levels
| -rw-r--r-- | app/controllers/users_controller.rb | 4 | ||||
| -rw-r--r-- | app/models/user.rb | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 8e7956da48f..49ddcfed7b1 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,6 +1,7 @@ class UsersController < ApplicationController skip_before_action :authenticate_user! before_action :set_user + before_filter :authorize_read_user, only: [:show] def show respond_to do |format| @@ -74,6 +75,9 @@ class UsersController < ApplicationController end private + def authorize_read_user + render_404 unless @user.public? + end def set_user @user = User.find_by_username!(params[:username]) diff --git a/app/models/user.rb b/app/models/user.rb index 031315debd7..e2b602d598b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -835,6 +835,10 @@ class User < ActiveRecord::Base notification_settings.find_or_initialize_by(source: source) end + def public? + current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) + end + private def projects_union |