summaryrefslogtreecommitdiff
path: root/app/finders
diff options
context:
space:
mode:
authorSean McGivern <sean@gitlab.com>2017-06-23 12:50:33 +0100
committerSean McGivern <sean@gitlab.com>2017-06-30 10:33:45 +0100
commitc400030d0f51c71f32990ab0ecfebfa245ed663e (patch)
tree549f4159fe8613490d91ed46d11823aa115fcd7e /app/finders
parent20bb678d91715817f3da04c7a1b73db84295accd (diff)
downloadgitlab-ce-c400030d0f51c71f32990ab0ecfebfa245ed663e.tar.gz
Don't count any confidential issues for non-project-members
Diffstat (limited to 'app/finders')
-rw-r--r--app/finders/issuable_finder.rb2
-rw-r--r--app/finders/issues_finder.rb13
2 files changed, 9 insertions, 6 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 558f8b5e2e5..e8605f3d5b3 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -62,7 +62,7 @@ class IssuableFinder
# grouping and counting within that query.
#
def count_by_state
- count_params = params.merge(state: nil, sort: nil)
+ count_params = params.merge(state: nil, sort: nil, for_counting: true)
labels_count = label_names.any? ? label_names.count : 1
finder = self.class.new(current_user, count_params)
counts = Hash.new(0)
diff --git a/app/finders/issues_finder.rb b/app/finders/issues_finder.rb
index 328198c026a..b213a7aebfd 100644
--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder
end
def not_restricted_by_confidentiality
- return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
return Issue.all if user_can_see_all_confidential_issues?
+ return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
Issue.where('
issues.confidential IS NOT TRUE
@@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder
end
def user_can_see_all_confidential_issues?
- return false unless current_user
- return true if current_user.full_private_access?
+ return @user_can_see_all_confidential_issues = false if current_user.blank?
+ return @user_can_see_all_confidential_issues = true if current_user.full_private_access?
- project? &&
+ @user_can_see_all_confidential_issues =
+ project? &&
project &&
project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL
end
def user_cannot_see_confidential_issues?
- current_user.blank?
+ return false if user_can_see_all_confidential_issues?
+
+ current_user.blank? || params[:for_counting]
end
private