External Users

The user has the rights of a public user execpt it can never create a project,
 group, or team. Also it cant view internal projects.

1 files changed, 17 insertions, 17 deletions

diff --git a/app/models/ability.rb b/app/models/ability.rb
index fe9e0aab717..ccac08b7d3f 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -109,23 +109,10 @@ class Ability
       key = "/user/#{user.id}/project/#{project.id}"
 
       RequestStore.store[key] ||= begin
-        team = project.team
+        # Push abilities on the users team role
+        rules.push(*project_team_rules(project.team, user))
 
-        # Rules based on role in project
-        if team.master?(user)
-          rules.push(*project_master_rules)
-
-        elsif team.developer?(user)
-          rules.push(*project_dev_rules)
-
-        elsif team.reporter?(user)
-          rules.push(*project_report_rules)
-
-        elsif team.guest?(user)
-          rules.push(*project_guest_rules)
-        end
-
-        if project.public? || project.internal?
+        if project.public? || (project.internal? && !user.external?)
           rules.push(*public_project_rules)
 
           # Allow to read builds for internal projects
@@ -148,6 +135,19 @@ class Ability
       end
     end
 
+    def project_team_rules(team, user)
+      # Rules based on role in project
+      if team.master?(user)
+        project_master_rules
+      elsif team.developer?(user)
+        project_dev_rules
+      elsif team.reporter?(user)
+        project_report_rules
+      elsif team.guest?(user)
+        project_guest_rules
+      end
+    end
+
     def public_project_rules
       @public_project_rules ||= project_guest_rules + [
         :download_code,
@@ -356,7 +356,7 @@ class Ability
         ]
       end
 
-      if snippet.public? || snippet.internal?
+      if snippet.public? || (snippet.internal? && !user.external?)
         rules << :read_personal_snippet
       end