diff options
author | Robert Speicher <robert@gitlab.com> | 2015-12-27 21:09:16 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2015-12-27 21:09:16 +0000 |
commit | a97a2d27205637ea2ff6da112dabc1499c37ccfe (patch) | |
tree | b49b508683a5cc184e4fd010072baff4e0a82515 /lib/banzai/filter/user_reference_filter.rb | |
parent | a52746649d1db4f52ae4e989dcf654ef4af57905 (diff) | |
parent | 9a0e16f4548bca25f6efc6cd7a4dd0af42b60042 (diff) | |
download | gitlab-ce-a97a2d27205637ea2ff6da112dabc1499c37ccfe.tar.gz |
Merge branch 'mention-all' into 'master'
Only allow group/project members to mention `@all`
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/3473
See merge request !2205
Diffstat (limited to 'lib/banzai/filter/user_reference_filter.rb')
-rw-r--r-- | lib/banzai/filter/user_reference_filter.rb | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/banzai/filter/user_reference_filter.rb b/lib/banzai/filter/user_reference_filter.rb index 7f302d51dd7..964ab60f614 100644 --- a/lib/banzai/filter/user_reference_filter.rb +++ b/lib/banzai/filter/user_reference_filter.rb @@ -39,7 +39,7 @@ module Banzai end end - def self.user_can_reference?(user, node, context) + def self.user_can_see_reference?(user, node, context) if node.has_attribute?('data-group') group = Group.find(node.attr('data-group')) rescue nil Ability.abilities.allowed?(user, :read_group, group) @@ -48,6 +48,18 @@ module Banzai end end + def self.user_can_reference?(user, node, context) + # Only team members can reference `@all` + if node.has_attribute?('data-project') + project = Project.find(node.attr('data-project')) rescue nil + return false unless project + + user && project.team.member?(user) + else + super + end + end + def call replace_text_nodes_matching(User.reference_pattern) do |content| user_link_filter(content) |