Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-12-04 16:53:44 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-12-04 16:53:44 +0000
commit: 4e3a54f835daa49bf784d6e6ad91e90116a24dc8 (patch)
tree: 8e1f7be7a80da2de02b2da0ed88f81b2f6b6de8c /app/finders
parent: aefe6486cf0d193067112b90145083d73b96bfef (diff)
download: gitlab-ce-4e3a54f835daa49bf784d6e6ad91e90116a24dc8.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/app/finders/starred_projects_finder.rb b/app/finders/starred_projects_finder.rb
index fcb469d1d17..e209960c471 100644
--- a/app/finders/starred_projects_finder.rb
+++ b/app/finders/starred_projects_finder.rb
@@ -1,11 +1,22 @@
 # frozen_string_literal: true
 
 class StarredProjectsFinder < ProjectsFinder
+  include Gitlab::Allowable
+
   def initialize(user, params: {}, current_user: nil)
+    @user = user
+
     super(
       params: params,
       current_user: current_user,
       project_ids_relation: user.starred_projects.select(:id)
     )
   end
+
+  def execute
+    # Do not show starred projects if the user has a private profile.
+    return Project.none unless can?(current_user, :read_user_profile, @user)
+
+    super
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-12-04 16:53:44 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-12-04 16:53:44 +0000
commit	4e3a54f835daa49bf784d6e6ad91e90116a24dc8 (patch)
tree	8e1f7be7a80da2de02b2da0ed88f81b2f6b6de8c /app/finders
parent	aefe6486cf0d193067112b90145083d73b96bfef (diff)
download	gitlab-ce-4e3a54f835daa49bf784d6e6ad91e90116a24dc8.tar.gz