Fix contributed projects finder shown private info

author: James Lopez <james@jameslopez.es> 2018-12-21 15:26:33 +0100
committer: James Lopez <james@jameslopez.es> 2019-01-08 16:13:50 +0100
commit: 7084d71e781d9893fe4c24e45af434e2ca511fdd (patch)
tree: bb9aabfaa2e0ed8306ad6a9942598233b6d9e3c9 /app/finders
parent: d3a100abff561aeaad2752c8f2b3ab88f94926ea (diff)
download: gitlab-ce-7084d71e781d9893fe4c24e45af434e2ca511fdd.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/app/finders/contributed_projects_finder.rb b/app/finders/contributed_projects_finder.rb
index c1ef9dfefa7..f8c7f0c3167 100644
--- a/app/finders/contributed_projects_finder.rb
+++ b/app/finders/contributed_projects_finder.rb
@@ -14,6 +14,9 @@ class ContributedProjectsFinder < UnionFinder
   # Returns an ActiveRecord::Relation.
   # rubocop: disable CodeReuse/ActiveRecord
   def execute(current_user = nil)
+    # Do not show contributed projects if the user profile is private.
+    return Project.none unless can_read_profile?(current_user)
+
     segments = all_projects(current_user)
 
     find_union(segments, Project).includes(:namespace).order_id_desc
@@ -22,6 +25,10 @@ class ContributedProjectsFinder < UnionFinder
 
   private
 
+  def can_read_profile?(current_user)
+    Ability.allowed?(current_user, :read_user_profile, @user)
+  end
+
   def all_projects(current_user)
     projects = []
author	James Lopez <james@jameslopez.es>	2018-12-21 15:26:33 +0100
committer	James Lopez <james@jameslopez.es>	2019-01-08 16:13:50 +0100
commit	7084d71e781d9893fe4c24e45af434e2ca511fdd (patch)
tree	bb9aabfaa2e0ed8306ad6a9942598233b6d9e3c9 /app/finders
parent	d3a100abff561aeaad2752c8f2b3ab88f94926ea (diff)
download	gitlab-ce-7084d71e781d9893fe4c24e45af434e2ca511fdd.tar.gz