Merge remote-tracking branch 'dev/13-1-stable' into 13-1-stable

author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-07-01 16:56:42 +0000
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-07-01 16:56:42 +0000
commit: 132d2fd5cf7329a65237f93e97d16eb192a8d688 (patch)
tree: 0807d7d9ea9319f5349ff8a953c5eb02b69226ee /app/finders/events_finder.rb
parent: 2b0b97e746e327c6168505df7740e667b690a27f (diff)
parent: 2e7a6f64b07d018acbf2d42e5cc4c5224e4e8b42 (diff)
download: gitlab-ce-132d2fd5cf7329a65237f93e97d16eb192a8d688.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb
index 52612f1f8aa..004fbc4cd22 100644
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -33,6 +33,8 @@ class EventsFinder
   end
 
   def execute
+    return Event.none if cannot_access_private_profile?
+
     events = get_events
 
     events = by_current_user_access(events)
@@ -103,6 +105,10 @@ class EventsFinder
   end
   # rubocop: enable CodeReuse/ActiveRecord
 
+  def cannot_access_private_profile?
+    source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source)
+  end
+
   def sort(events)
     return events unless params[:sort]
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-07-01 16:56:42 +0000
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-07-01 16:56:42 +0000
commit	132d2fd5cf7329a65237f93e97d16eb192a8d688 (patch)
tree	0807d7d9ea9319f5349ff8a953c5eb02b69226ee /app/finders/events_finder.rb
parent	2b0b97e746e327c6168505df7740e667b690a27f (diff)
parent	2e7a6f64b07d018acbf2d42e5cc4c5224e4e8b42 (diff)
download	gitlab-ce-132d2fd5cf7329a65237f93e97d16eb192a8d688.tar.gz