10 files changed, 73 insertions, 14 deletions

diff --git a/app/controllers/explore/groups_controller.rb b/app/controllers/explore/groups_controller.rb
index a9bf4321f73..9575a87ee41 100644
--- a/app/controllers/explore/groups_controller.rb
+++ b/app/controllers/explore/groups_controller.rb
@@ -1,6 +1,6 @@
 class Explore::GroupsController < Explore::ApplicationController
   def index
-    @groups = Group.order_id_desc
+    @groups = GroupsFinder.new.execute(current_user)
     @groups = @groups.search(params[:search]) if params[:search].present?
     @groups = @groups.sort(@sort = params[:sort])
     @groups = @groups.page(params[:page]).per(PER_PAGE)
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index f05c29e9974..13de19bc141 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -131,7 +131,7 @@ class GroupsController < Groups::ApplicationController
   end
 
   def group_params
-    params.require(:group).permit(:name, :description, :path, :avatar, :public)
+    params.require(:group).permit(:name, :description, :path, :avatar, :public, :visibility_level)
   end
 
   def load_events
diff --git a/app/finders/groups_finder.rb b/app/finders/groups_finder.rb
new file mode 100644
index 00000000000..a3a8cd541de
--- /dev/null
+++ b/app/finders/groups_finder.rb
@@ -0,0 +1,31 @@
+class GroupsFinder
+  def execute(current_user = nil)
+
+    segments = all_groups(current_user)
+
+    if segments.length > 1
+      union = Gitlab::SQL::Union.new(segments.map { |s| s.select(:id) })
+      Group.where("namespaces.id IN (#{union.to_sql})").order_id_desc
+    else
+      segments.first
+    end
+  end
+
+  private
+
+  def all_groups(current_user)
+    if current_user
+      [current_user.authorized_groups, public_and_internal_groups]
+    else
+      [Group.public_only]
+    end
+  end
+
+  def public_groups
+    Group.unscoped.public_only
+  end
+
+  def public_and_internal_groups
+    Group.unscoped.public_and_internal_only
+  end
+end
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 1d36969cd62..b1f0a765bb9 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -19,6 +19,10 @@ module GroupsHelper
     end
   end
 
+  def can_change_group_visibility_level?(group)
+    can?(current_user, :change_visibility_level, group)
+  end
+
   def group_icon(group)
     if group.is_a?(String)
       group = Group.find_by(path: group)
diff --git a/app/helpers/visibility_level_helper.rb b/app/helpers/visibility_level_helper.rb
index 71d33b445c2..c47342534a8 100644
--- a/app/helpers/visibility_level_helper.rb
+++ b/app/helpers/visibility_level_helper.rb
@@ -19,6 +19,8 @@ module VisibilityLevelHelper
     case form_model
     when Project
       project_visibility_level_description(level)
+    when Group
+      group_visibility_level_description(level)
     when Snippet
       snippet_visibility_level_description(level, form_model)
     end
@@ -35,6 +37,17 @@ module VisibilityLevelHelper
     end
   end
 
+  def group_visibility_level_description(level)
+    case level
+    when Gitlab::VisibilityLevel::PRIVATE
+      "The group can be accessed only by members."
+    when Gitlab::VisibilityLevel::INTERNAL
+      "The group can be accessed by any logged user."
+    when Gitlab::VisibilityLevel::PUBLIC
+      "The group can be accessed without any authentication."
+    end
+  end
+
   def snippet_visibility_level_description(level, snippet = nil)
     case level
     when Gitlab::VisibilityLevel::PRIVATE
diff --git a/app/models/ability.rb b/app/models/ability.rb
index fe9e0aab717..c84ded61606 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -275,11 +275,12 @@ class Ability
         rules << :read_group
       end
 
-      # Only group masters and group owners can create new projects in group
+      # Only group masters and group owners can create new projects and change permission level
       if group.has_master?(user) || group.has_owner?(user) || user.admin?
         rules += [
           :create_projects,
-          :admin_milestones
+          :admin_milestones,
+          :change_visibility_level
         ]
       end
 
diff --git a/app/models/group.rb b/app/models/group.rb
index 76042b3e3fd..26914f55541 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -2,15 +2,16 @@
 #
 # Table name: namespaces
 #
-#  id          :integer          not null, primary key
-#  name        :string(255)      not null
-#  path        :string(255)      not null
-#  owner_id    :integer
-#  created_at  :datetime
-#  updated_at  :datetime
-#  type        :string(255)
-#  description :string(255)      default(""), not null
-#  avatar      :string(255)
+#  id                     :integer          not null, primary key
+#  name                   :string(255)      not null
+#  path                   :string(255)      not null
+#  owner_id               :integer
+#  visibility_level       :integer          default(20), not null
+#  created_at             :key => "value", datetime
+#  updated_at             :datetime
+#  type                   :string(255)
+#  description            :string(255)      default(""), not null
+#  avatar                 :string(255)
 #
 
 require 'carrierwave/orm/activerecord'
@@ -18,8 +19,10 @@ require 'file_size_validator'
 
 class Group < Namespace
   include Gitlab::ConfigHelper
+  include Gitlab::VisibilityLevel
   include Referable
 
+
   has_many :group_members, dependent: :destroy, as: :source, class_name: 'GroupMember'
   alias_method :members, :group_members
   has_many :users, through: :group_members
@@ -32,6 +35,10 @@ class Group < Namespace
   after_create :post_create_hook
   after_destroy :post_destroy_hook
 
+  scope :public_only, -> { where(visibility_level: Group::PUBLIC) }
+  scope :public_and_internal_only, -> { where(visibility_level: [Group::PUBLIC, Group::INTERNAL] ) }
+
+
   class << self
     def search(query)
       where("LOWER(namespaces.name) LIKE :query or LOWER(namespaces.path) LIKE :query", query: "%#{query.downcase}%")
diff --git a/app/views/groups/edit.html.haml b/app/views/groups/edit.html.haml
index 3430f56a9c9..ea223d2209f 100644
--- a/app/views/groups/edit.html.haml
+++ b/app/views/groups/edit.html.haml
@@ -23,6 +23,8 @@
             %hr
             = link_to 'Remove avatar', group_avatar_path(@group.to_param), data: { confirm: "Group avatar will be removed. Are you sure?"}, method: :delete, class: "btn btn-remove btn-sm remove-avatar"
 
+      = render 'shared/visibility_level', f: f, visibility_level: @group.visibility_level, can_change_visibility_level: can_change_group_visibility_level?(@group), form_model: @group
+
       .form-actions
         = f.submit 'Save group', class: "btn btn-save"
 
diff --git a/app/views/groups/new.html.haml b/app/views/groups/new.html.haml
index 4bc31cabea6..1526ca42634 100644
--- a/app/views/groups/new.html.haml
+++ b/app/views/groups/new.html.haml
@@ -17,6 +17,8 @@
     .col-sm-10
       = render 'shared/choose_group_avatar_button', f: f
 
+  = render 'shared/visibility_level', f: f, visibility_level: @group.visibility_level, can_change_visibility_level: true, form_model: @group
+
   .form-group
     .col-sm-offset-2.col-sm-10
       = render 'shared/group_tips'
diff --git a/app/views/shared/_group_tips.html.haml b/app/views/shared/_group_tips.html.haml
index e5cf783beb7..46e4340511a 100644
--- a/app/views/shared/_group_tips.html.haml
+++ b/app/views/shared/_group_tips.html.haml
@@ -1,6 +1,5 @@
 %ul
   %li A group is a collection of several projects
-  %li Groups are private by default
   %li Members of a group may only view projects they have permission to access
   %li Group project URLs are prefixed with the group namespace
   %li Existing projects may be moved into a group