1 files changed, 20 insertions, 3 deletions

diff --git a/app/finders/personal_projects_finder.rb b/app/finders/personal_projects_finder.rb
index 5aea0cb8192..a56a3a1e1a9 100644
--- a/app/finders/personal_projects_finder.rb
+++ b/app/finders/personal_projects_finder.rb
@@ -1,6 +1,9 @@
 class PersonalProjectsFinder < UnionFinder
-  def initialize(user)
+  include Gitlab::Allowable
+
+  def initialize(user, params = {})
     @user = user
+    @params = params
   end
 
   # Finds the projects belonging to the user in "@user", limited to either
@@ -8,9 +11,13 @@ class PersonalProjectsFinder < UnionFinder
   #
   # current_user - When given the list of projects is limited to those only
   #                visible by this user.
+  # params       - Optional query parameters
+  #                  min_access_level: integer
   #
   # Returns an ActiveRecord::Relation.
   def execute(current_user = nil)
+    return Project.none unless can?(current_user, :read_user_profile, @user)
+
     segments = all_projects(current_user)
 
     find_union(segments, Project).includes(:namespace).order_updated_desc
@@ -19,11 +26,21 @@ class PersonalProjectsFinder < UnionFinder
   private
 
   def all_projects(current_user)
-    projects = []
+    return [projects_with_min_access_level(current_user)] if current_user && min_access_level?
 
+    projects = []
     projects << @user.personal_projects.visible_to_user(current_user) if current_user
     projects << @user.personal_projects.public_to_user(current_user)
-
     projects
   end
+
+  def projects_with_min_access_level(current_user)
+    @user
+      .personal_projects
+      .visible_to_user_and_access_level(current_user, @params[:min_access_level])
+  end
+
+  def min_access_level?
+    @params[:min_access_level].present?
+  end
 end