diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-09-14 11:23:07 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-09-14 15:05:22 +0200 |
| commit | c86613412ddc60059a4c459e5e1c3e0a822885fa (patch) | |
| tree | 475a42c5280707437ce5d0f9bbbc443e2f4492a9 /app | |
| parent | 6ceb26a0dd5bac7389bbb6a8ba3eb236dd978f0b (diff) | |
| download | gitlab-ce-c86613412ddc60059a4c459e5e1c3e0a822885fa.tar.gz | |
Merge branch '21650-only-active-users-can-be-members' into 'master'
Exclude some pending or inactivated rows in Member scopes
An unapproved request or not-yet-accepted invite should not give access rights. Neither should a blocked user be considered a member of anything.
One visible outcome of this behaviour is that owners and masters of a group or project may be blocked, yet still receive notification emails for access requests.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/21650
See merge request !1994
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/member.rb | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/app/models/member.rb b/app/models/member.rb index 64e0d33fb20..69406379948 100644 --- a/app/models/member.rb +++ b/app/models/member.rb @@ -28,17 +28,34 @@ class Member < ActiveRecord::Base allow_nil: true } + # This scope encapsulates (most of) the conditions a row in the member table + # must satisfy if it is a valid permission. Of particular note: + # + # * Access requests must be excluded + # * Blocked users must be excluded + # * Invitations take effect immediately + # * expires_at is not implemented. A background worker purges expired rows + scope :active, -> do + is_external_invite = arel_table[:user_id].eq(nil).and(arel_table[:invite_token].not_eq(nil)) + user_is_active = User.arel_table[:state].eq(:active) + + includes(:user).references(:users) + .where(is_external_invite.or(user_is_active)) + .where(requested_at: nil) + end + scope :invite, -> { where.not(invite_token: nil) } scope :non_invite, -> { where(invite_token: nil) } scope :request, -> { where.not(requested_at: nil) } - scope :has_access, -> { where('access_level > 0') } - - scope :guests, -> { where(access_level: GUEST) } - scope :reporters, -> { where(access_level: REPORTER) } - scope :developers, -> { where(access_level: DEVELOPER) } - scope :masters, -> { where(access_level: MASTER) } - scope :owners, -> { where(access_level: OWNER) } - scope :owners_and_masters, -> { where(access_level: [OWNER, MASTER]) } + + scope :has_access, -> { active.where('access_level > 0') } + + scope :guests, -> { active.where(access_level: GUEST) } + scope :reporters, -> { active.where(access_level: REPORTER) } + scope :developers, -> { active.where(access_level: DEVELOPER) } + scope :masters, -> { active.where(access_level: MASTER) } + scope :owners, -> { active.where(access_level: OWNER) } + scope :owners_and_masters, -> { active.where(access_level: [OWNER, MASTER]) } before_validation :generate_invite_token, on: :create, if: -> (member) { member.invite_email.present? } |