diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:31:31 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:31:31 +0000 |
| commit | e810b8327513c3b07cb779dbce6c75dbcb49ca84 (patch) | |
| tree | 65b220240faa9e191388c6ab233fed03da2b8713 /app/finders | |
| parent | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (diff) | |
| download | gitlab-ce-e810b8327513c3b07cb779dbce6c75dbcb49ca84.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'app/finders')
| -rw-r--r-- | app/finders/events_finder.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb index 52612f1f8aa..004fbc4cd22 100644 --- a/app/finders/events_finder.rb +++ b/app/finders/events_finder.rb @@ -33,6 +33,8 @@ class EventsFinder end def execute + return Event.none if cannot_access_private_profile? + events = get_events events = by_current_user_access(events) @@ -103,6 +105,10 @@ class EventsFinder end # rubocop: enable CodeReuse/ActiveRecord + def cannot_access_private_profile? + source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source) + end + def sort(events) return events unless params[:sort] |