16 files changed, 137 insertions, 30 deletions

diff --git a/CHANGELOG b/CHANGELOG
index e641adbfcef..9a6f1bbfef5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.7.0 (unreleased)
+  - Transactions for /internal/allowed now have an "action" tag set
   - Method instrumentation now uses Module#prepend instead of aliasing methods
   - Repository.clean_old_archives is now instrumented
   - Add support for environment variables on a job level in CI configuration file
@@ -13,6 +14,7 @@ v 8.7.0 (unreleased)
   - Project switcher uses new dropdown styling
   - Load award emoji images separately unless opening the full picker. Saves several hundred KBs of data for most pages. (Connor Shea)
   - Do not include award_emojis in issue and merge_request comment_count !3610 (Lucas Charles)
+  - Restrict user profiles when public visibility level is restricted.
   - All images in discussions and wikis now link to their source files !3464 (Connor Shea).
   - Return status code 303 after a branch DELETE operation to avoid project deletion (Stan Hu)
   - Add setting for customizing the list of trusted proxies !3524
diff --git a/app/assets/javascripts/application.js.coffee b/app/assets/javascripts/application.js.coffee
index 6f435e4c542..5bac8eef1cb 100644
--- a/app/assets/javascripts/application.js.coffee
+++ b/app/assets/javascripts/application.js.coffee
@@ -174,7 +174,7 @@ $ ->
   $('.trigger-submit').on 'change', ->
     $(@).parents('form').submit()
 
-  gl.utils.localTimeAgo($('abbr.timeago, .js-timeago'), false)
+  gl.utils.localTimeAgo($('abbr.timeago, .js-timeago'), true)
 
   # Flash
   if (flash = $(".flash-container")).length > 0
diff --git a/app/assets/javascripts/dropzone_input.js.coffee b/app/assets/javascripts/dropzone_input.js.coffee
index 6eb8d27ee2b..e2194589b38 100644
--- a/app/assets/javascripts/dropzone_input.js.coffee
+++ b/app/assets/javascripts/dropzone_input.js.coffee
@@ -61,6 +61,7 @@ class @DropzoneInput
         return
 
       drop: ->
+        $mdArea.removeClass 'is-dropzone-hover'
         form.find(".div-dropzone-hover").css "opacity", 0
         form_textarea.focus()
         return
diff --git a/app/assets/javascripts/merge_request_tabs.js.coffee b/app/assets/javascripts/merge_request_tabs.js.coffee
index 1ab6e5114bc..e8613cab72b 100644
--- a/app/assets/javascripts/merge_request_tabs.js.coffee
+++ b/app/assets/javascripts/merge_request_tabs.js.coffee
@@ -183,9 +183,10 @@ class @MergeRequestTabs
       else
         $diffLine = $('td', $diffLine)
 
-      $diffLine.addClass 'hll'
-      diffLineTop = $diffLine.offset().top
-      navBarHeight = $('.navbar-gitlab').outerHeight()
+      if $diffLine.length
+        $diffLine.addClass 'hll'
+        diffLineTop = $diffLine.offset().top
+        navBarHeight = $('.navbar-gitlab').outerHeight()
 
   loadBuilds: (source) ->
     return if @buildsLoaded
diff --git a/app/assets/stylesheets/framework/header.scss b/app/assets/stylesheets/framework/header.scss
index 3f015427d07..c303380764b 100644
--- a/app/assets/stylesheets/framework/header.scss
+++ b/app/assets/stylesheets/framework/header.scss
@@ -71,7 +71,7 @@ header {
   .header-content {
     position: relative;
     height: $header-height;
-    padding-right: 20px;
+    padding-right: 40px;
 
     @media (min-width: $screen-sm-min) {
       padding-right: 0;
@@ -122,6 +122,10 @@ header {
     }
   }
 
+  .project-item-select-holder {
+    display: inline;
+  }
+
   .impersonation i {
     color: $red-normal;
   }
diff --git a/app/assets/stylesheets/pages/note_form.scss b/app/assets/stylesheets/pages/note_form.scss
index 07c707e7b77..c2371d79989 100644
--- a/app/assets/stylesheets/pages/note_form.scss
+++ b/app/assets/stylesheets/pages/note_form.scss
@@ -61,11 +61,11 @@
     padding: $gl-padding-top $gl-padding;
     border: 1px solid $note-form-border-color;
     border-radius: $border-radius-base;
+    transition: border-color ease-in-out 0.15s,
+                box-shadow ease-in-out 0.15s;
 
     &.is-focused {
-      border-color: $focus-border-color;
-      box-shadow: 0 0 2px $black-transparent,
-                  0 0 4px rgba($focus-border-color, .4);
+      @extend .form-control:focus;
 
       .comment-toolbar,
       .nav-links {
diff --git a/app/assets/stylesheets/pages/notes.scss b/app/assets/stylesheets/pages/notes.scss
index a0fbf7d67c5..ffcd89a3c9f 100644
--- a/app/assets/stylesheets/pages/notes.scss
+++ b/app/assets/stylesheets/pages/notes.scss
@@ -171,6 +171,11 @@ ul.notes {
 
       &.parallel {
         border-width: 1px;
+
+        .code,
+        code {
+          white-space: pre-wrap;
+        }
       }
 
       .notes {
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e7956da48f..2ae180c8a12 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,6 +1,7 @@
 class UsersController < ApplicationController
   skip_before_action :authenticate_user!
-  before_action :set_user
+  before_action :user
+  before_action :authorize_read_user!, only: [:show]
 
   def show
     respond_to do |format|
@@ -75,22 +76,26 @@ class UsersController < ApplicationController
 
   private
 
-  def set_user
-    @user = User.find_by_username!(params[:username])
+  def authorize_read_user!
+    render_404 unless can?(current_user, :read_user, user)
+  end
+
+  def user
+    @user ||= User.find_by_username!(params[:username])
   end
 
   def contributed_projects
-    ContributedProjectsFinder.new(@user).execute(current_user)
+    ContributedProjectsFinder.new(user).execute(current_user)
   end
 
   def contributions_calendar
     @contributions_calendar ||= Gitlab::ContributionsCalendar.
-      new(contributed_projects, @user)
+      new(contributed_projects, user)
   end
 
   def load_events
     # Get user activity feed for projects common for both users
-    @events = @user.recent_events.
+    @events = user.recent_events.
       merge(projects_for_current_user).
       references(:project).
       with_associations.
@@ -99,16 +104,16 @@ class UsersController < ApplicationController
 
   def load_projects
     @projects =
-      PersonalProjectsFinder.new(@user).execute(current_user)
+      PersonalProjectsFinder.new(user).execute(current_user)
       .page(params[:page])
   end
 
   def load_contributed_projects
-    @contributed_projects = contributed_projects.joined(@user)
+    @contributed_projects = contributed_projects.joined(user)
   end
 
   def load_groups
-    @groups = JoinedGroupsFinder.new(@user).execute(current_user)
+    @groups = JoinedGroupsFinder.new(user).execute(current_user)
   end
 
   def projects_for_current_user
diff --git a/app/models/ability.rb b/app/models/ability.rb
index c0bf6def7c5..6103a2947e2 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -18,6 +18,7 @@ class Ability
       when Namespace then namespace_abilities(user, subject)
       when GroupMember then group_member_abilities(user, subject)
       when ProjectMember then project_member_abilities(user, subject)
+      when User then user_abilities
       else []
       end.concat(global_abilities(user))
     end
@@ -35,6 +36,8 @@ class Ability
         anonymous_project_abilities(subject)
       when subject.is_a?(Group) || subject.respond_to?(:group)
         anonymous_group_abilities(subject)
+      when subject.is_a?(User)
+        anonymous_user_abilities
       else
         []
       end
@@ -81,17 +84,17 @@ class Ability
     end
 
     def anonymous_group_abilities(subject)
+      rules = []
+
       group = if subject.is_a?(Group)
                 subject
               else
                 subject.group
               end
 
-      if group && group.public?
-        [:read_group]
-      else
-        []
-      end
+      rules << :read_group if group.public?
+
+      rules
     end
 
     def anonymous_personal_snippet_abilities(snippet)
@@ -110,9 +113,14 @@ class Ability
       end
     end
 
+    def anonymous_user_abilities
+      [:read_user] unless restricted_public_level?
+    end
+
     def global_abilities(user)
       rules = []
       rules << :create_group if user.can_create_group
+      rules << :read_users_list
       rules
     end
 
@@ -163,7 +171,7 @@ class Ability
       @public_project_rules ||= project_guest_rules + [
         :download_code,
         :fork_project,
-        :read_commit_status,
+        :read_commit_status
       ]
     end
 
@@ -284,7 +292,6 @@ class Ability
 
     def group_abilities(user, group)
       rules = []
-
       rules << :read_group if can_read_group?(user, group)
 
       # Only group masters and group owners can create new projects
@@ -456,6 +463,10 @@ class Ability
       rules
     end
 
+    def user_abilities
+      [:read_user]
+    end
+
     def abilities
       @abilities ||= begin
         abilities = Six.new
@@ -470,6 +481,10 @@ class Ability
 
     private
 
+    def restricted_public_level?
+      current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+    end
+
     def named_abilities(name)
       [
         :"read_#{name}",
diff --git a/app/views/admin/application_settings/_form.html.haml b/app/views/admin/application_settings/_form.html.haml
index 555aea554f0..aadd2c54f20 100644
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -26,7 +26,9 @@
         .btn-group{ data: data_attrs }
           - restricted_level_checkboxes('restricted-visibility-help').each do |level|
             = level
-        %span.help-block#restricted-visibility-help Selected levels cannot be used by non-admin users for projects or snippets
+        %span.help-block#restricted-visibility-help
+          Selected levels cannot be used by non-admin users for projects or snippets.
+          If the public level is restricted, user profiles are only visible to logged in users.
     .form-group
       = f.label :import_sources, class: 'control-label col-sm-2'
       .col-sm-10
diff --git a/doc/public_access/public_access.md b/doc/public_access/public_access.md
index 20aa90f0d69..17bb75ececd 100644
--- a/doc/public_access/public_access.md
+++ b/doc/public_access/public_access.md
@@ -58,6 +58,9 @@ you are logged in or not.
 When visiting the public page of a user, you can only see the projects which
 you are privileged to.
 
+If the public level is restricted, user profiles are only visible to logged in users.
+
+
 ## Restricting the use of public or internal projects
 
 In the Admin area under **Settings** (`/admin/application_settings`), you can
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 2200208b946..8cfa1f1556b 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -23,9 +23,11 @@ module API
       end
 
       post "/allowed" do
+        Gitlab::Metrics.tag_transaction('action', 'Grape#/internal/allowed')
+
         status 200
 
-        actor = 
+        actor =
           if params[:key_id]
             Key.find_by(id: params[:key_id])
           elsif params[:user_id]
@@ -33,7 +35,7 @@ module API
           end
 
         project_path = params[:project]
-        
+
         # Check for *.wiki repositories.
         # Strip out the .wiki from the pathname before finding the
         # project. This applies the correct project permissions to
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 0a14bac07c0..ea6fa2dc8a8 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -11,6 +11,10 @@ module API
       #  GET /users?search=Admin
       #  GET /users?username=root
       get do
+        unless can?(current_user, :read_users_list, nil)
+          render_api_error!("Not authorized.", 403)
+        end
+
         if params[:username].present?
           @users = User.where(username: params[:username])
         else
@@ -36,10 +40,12 @@ module API
       get ":id" do
         @user = User.find(params[:id])
 
-        if current_user.is_admin?
+        if current_user && current_user.is_admin?
           present @user, with: Entities::UserFull
-        else
+        elsif can?(current_user, :read_user, @user)
           present @user, with: Entities::User
+        else
+          render_api_error!("User not found.", 404)
         end
       end
 
diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb
new file mode 100644
index 00000000000..a5986598715
--- /dev/null
+++ b/spec/controllers/groups/group_members_controller_spec.rb
@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe Groups::GroupMembersController do
+  let(:user)  { create(:user) }
+  let(:group) { create(:group) }
+
+  context "index" do
+    before do
+      group.add_owner(user)
+      stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+    end
+
+    it 'renders index with group members' do
+      get :index, group_id: group.path
+
+      expect(response.status).to eq(200)
+      expect(response).to render_template(:index)
+    end
+  end
+end
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index 7337ff58be1..8045c8b940d 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -33,7 +33,30 @@ describe UsersController do
         it 'renders the show template' do
           get :show, username: user.username
 
-          expect(response).to be_success
+          expect(response.status).to eq(200)
+          expect(response).to render_template('show')
+        end
+      end
+    end
+
+    context 'when public visibility level is restricted' do
+      before do
+        stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+      end
+
+      context 'when logged out' do
+        it 'renders 404' do
+          get :show, username: user.username
+          expect(response.status).to eq(404)
+        end
+      end
+
+      context 'when logged in' do
+        before { sign_in(user) }
+
+        it 'renders show' do
+          get :show, username: user.username
+          expect(response.status).to eq(200)
           expect(response).to render_template('show')
         end
       end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 679227bf881..40b24c125b5 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -20,6 +20,24 @@ describe API::API, api: true  do
     end
 
     context "when authenticated" do
+      #These specs are written just in case API authentication is not required anymore
+      context "when public level is restricted" do
+        before do
+          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+          allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
+        end
+
+        it "renders 403" do
+          get api("/users")
+          expect(response.status).to eq(403)
+        end
+
+        it "renders 404" do
+          get api("/users/#{user.id}")
+          expect(response.status).to eq(404)
+        end
+      end
+
       it "should return an array of users" do
         get api("/users", user)
         expect(response.status).to eq(200)