Show project members only for members

author: Felipe Artur <felipefac@gmail.com> 2016-04-15 12:04:07 -0300
committer: Felipe Artur <felipefac@gmail.com> 2016-04-18 17:53:34 -0300
commit: 62f6601c598d59781137109c0eee5c5ea1792e13 (patch)
tree: e3169964c28e746d7491d50439258fc58af86013 /app/controllers
parent: 17b60d681828567e47c8a62ef312abc46e2beeea (diff)
download: gitlab-ce-62f6601c598d59781137109c0eee5c5ea1792e13.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index e457db2f0b7..f8c9ff657df 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -1,6 +1,7 @@
 class Projects::ProjectMembersController < Projects::ApplicationController
   # Authorize
-  before_action :authorize_admin_project_member!, except: :leave
+  before_action :authorize_admin_project_member!, except: [:leave, :index]
+  before_action :authorize_read_members_list!, only: [:index]
 
   def index
     @project_members = @project.project_members
@@ -112,4 +113,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   def member_params
     params.require(:project_member).permit(:user_id, :access_level)
   end
+
+  def authorize_read_members_list!
+    render_403 unless can?(current_user, :read_members_list , @project)
+  end
 end
author	Felipe Artur <felipefac@gmail.com>	2016-04-15 12:04:07 -0300
committer	Felipe Artur <felipefac@gmail.com>	2016-04-18 17:53:34 -0300
commit	62f6601c598d59781137109c0eee5c5ea1792e13 (patch)
tree	e3169964c28e746d7491d50439258fc58af86013 /app/controllers
parent	17b60d681828567e47c8a62ef312abc46e2beeea (diff)
download	gitlab-ce-62f6601c598d59781137109c0eee5c5ea1792e13.tar.gz