Merge branch 'security-ag-cycle-analytics-guest-permissions-12-3' into '12-3-stable'

Prevent guests from seeing commits for cycle analytics

See merge request gitlab/gitlabhq!3535

1 files changed, 19 insertions, 3 deletions

diff --git a/lib/gitlab/cycle_analytics/stage_summary.rb b/lib/gitlab/cycle_analytics/stage_summary.rb
index 5198dd5b4eb..c0ee65a106d 100644
--- a/lib/gitlab/cycle_analytics/stage_summary.rb
+++ b/lib/gitlab/cycle_analytics/stage_summary.rb
@@ -10,13 +10,29 @@ module Gitlab
       end
 
       def data
-        [serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user)),
-         serialize(Summary::Commit.new(project: @project, from: @from)),
-         serialize(Summary::Deploy.new(project: @project, from: @from))]
+        summary = [issue_stats]
+        summary << commit_stats if user_has_sufficient_access?
+        summary << deploy_stats
       end
 
       private
 
+      def issue_stats
+        serialize(Summary::Issue.new(project: @project, from: @from, current_user: @current_user))
+      end
+
+      def commit_stats
+        serialize(Summary::Commit.new(project: @project, from: @from))
+      end
+
+      def deploy_stats
+        serialize(Summary::Deploy.new(project: @project, from: @from))
+      end
+
+      def user_has_sufficient_access?
+        @project.team.member?(@current_user, Gitlab::Access::REPORTER)
+      end
+
       def serialize(summary_object)
         AnalyticsSummarySerializer.new.represent(summary_object)
       end