User pages are visible to users without login

... if the user is authorized to at least one public project.

1 files changed, 16 insertions, 4 deletions

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 6a5ce62909e..e86601a439e 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,11 +1,23 @@
 class UsersController < ApplicationController
-  layout 'navless'
+
+  skip_before_filter :authenticate_user!, only: [:show]
+  layout :determine_layout
 
   def show
-    @user = User.find_by!(username: params[:username])
-    @projects = @user.authorized_projects.where(id: current_user.authorized_projects.pluck(:id)).includes(:namespace)
+    @user = User.find_by_username!(params[:username])
+    @projects = @user.authorized_projects.includes(:namespace).select {|project| can?(current_user, :read_project, project)}
+    if !current_user && @projects.empty?
+      return authenticate_user!
+    end
     @events = @user.recent_events.where(project_id: @projects.map(&:id)).limit(20)
-
     @title = @user.name
   end
+
+  def determine_layout
+    if current_user
+      'navless'
+    else
+      'public_users'
+    end
+  end
 end