diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-09-26 20:06:08 +0200 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2017-10-04 22:49:42 +0200 |
commit | 7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf (patch) | |
tree | b882d6f373aa7ab40a428ac2d365f28925870494 /app/finders | |
parent | b92e7103fcced2d62000ed382848219016484f7b (diff) | |
download | gitlab-ce-7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf.tar.gz |
Make sure the user only sees groups he's allowed to see
Diffstat (limited to 'app/finders')
-rw-r--r-- | app/finders/group_descendants_finder.rb | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/app/finders/group_descendants_finder.rb b/app/finders/group_descendants_finder.rb index 4ed9c0ea39a..fca139062e5 100644 --- a/app/finders/group_descendants_finder.rb +++ b/app/finders/group_descendants_finder.rb @@ -73,13 +73,23 @@ class GroupDescendantsFinder all_available: true).execute end - def all_descendant_groups + def all_visible_descendant_groups + groups_table = Group.arel_table + visible_for_user = if current_user + groups_table[:id].in( + Arel::Nodes::SqlLiteral.new(GroupsFinder.new(current_user, all_available: true).execute.select(:id).to_sql) + ) + else + groups_table[:visibility_level].eq(Gitlab::VisibilityLevel::PUBLIC) + end + Gitlab::GroupHierarchy.new(Group.where(id: parent_group)) .base_and_descendants + .where(visible_for_user) end def subgroups_matching_filter - all_descendant_groups + all_visible_descendant_groups .where.not(id: parent_group) .search(params[:filter]) end |