Make sure the user only sees groups he's allowed to see

author: Bob Van Landuyt <bob@vanlanduyt.co> 2017-09-26 20:06:08 +0200
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2017-10-04 22:49:42 +0200
commit: 7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf (patch)
tree: b882d6f373aa7ab40a428ac2d365f28925870494 /app/finders
parent: b92e7103fcced2d62000ed382848219016484f7b (diff)
download: gitlab-ce-7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/app/finders/group_descendants_finder.rb b/app/finders/group_descendants_finder.rb
index 4ed9c0ea39a..fca139062e5 100644
--- a/app/finders/group_descendants_finder.rb
+++ b/app/finders/group_descendants_finder.rb
@@ -73,13 +73,23 @@ class GroupDescendantsFinder
                      all_available: true).execute
   end
 
-  def all_descendant_groups
+  def all_visible_descendant_groups
+    groups_table = Group.arel_table
+    visible_for_user = if current_user
+                         groups_table[:id].in(
+                           Arel::Nodes::SqlLiteral.new(GroupsFinder.new(current_user, all_available: true).execute.select(:id).to_sql)
+                         )
+                       else
+                         groups_table[:visibility_level].eq(Gitlab::VisibilityLevel::PUBLIC)
+                       end
+
     Gitlab::GroupHierarchy.new(Group.where(id: parent_group))
       .base_and_descendants
+      .where(visible_for_user)
   end
 
   def subgroups_matching_filter
-    all_descendant_groups
+    all_visible_descendant_groups
       .where.not(id: parent_group)
       .search(params[:filter])
   end
author	Bob Van Landuyt <bob@vanlanduyt.co>	2017-09-26 20:06:08 +0200
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2017-10-04 22:49:42 +0200
commit	7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf (patch)
tree	b882d6f373aa7ab40a428ac2d365f28925870494 /app/finders
parent	b92e7103fcced2d62000ed382848219016484f7b (diff)
download	gitlab-ce-7a3ba8e9845b89c9f3f37d43e8edfeaa9093cfdf.tar.gz