diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:43:59 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-25 16:43:59 +0000 |
| commit | 4d2a666c743d2ae2f068d1975dc9cf8f21b97c51 (patch) | |
| tree | 7ef727f3cb2ee884f55b770bd8d13604444c2ed0 /app/finders | |
| parent | 2f0050fba988353109d216c2e89b475e04ca6f49 (diff) | |
| parent | 7084d71e781d9893fe4c24e45af434e2ca511fdd (diff) | |
| download | gitlab-ce-4d2a666c743d2ae2f068d1975dc9cf8f21b97c51.tar.gz | |
Merge branch 'security-contributed-projects' into 'master'
[master] Fix contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2743
Diffstat (limited to 'app/finders')
| -rw-r--r-- | app/finders/contributed_projects_finder.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/app/finders/contributed_projects_finder.rb b/app/finders/contributed_projects_finder.rb index c1ef9dfefa7..f8c7f0c3167 100644 --- a/app/finders/contributed_projects_finder.rb +++ b/app/finders/contributed_projects_finder.rb @@ -14,6 +14,9 @@ class ContributedProjectsFinder < UnionFinder # Returns an ActiveRecord::Relation. # rubocop: disable CodeReuse/ActiveRecord def execute(current_user = nil) + # Do not show contributed projects if the user profile is private. + return Project.none unless can_read_profile?(current_user) + segments = all_projects(current_user) find_union(segments, Project).includes(:namespace).order_id_desc @@ -22,6 +25,10 @@ class ContributedProjectsFinder < UnionFinder private + def can_read_profile?(current_user) + Ability.allowed?(current_user, :read_user_profile, @user) + end + def all_projects(current_user) projects = [] |