From b21980bff48de425a3994cb3914650d06d48e486 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Wed, 15 Jun 2016 17:25:48 +0200
Subject: Fix permission checks in member row
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rémy Coutable <remy@rymai.me>
---
 app/helpers/members_helper.rb              |  6 ------
 app/views/shared/members/_member.html.haml |  5 +++--
 spec/helpers/members_helper_spec.rb        | 16 ----------------
 3 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/app/helpers/members_helper.rb b/app/helpers/members_helper.rb
index a53828ef4e7..877c77050be 100644
--- a/app/helpers/members_helper.rb
+++ b/app/helpers/members_helper.rb
@@ -6,12 +6,6 @@ module MembersHelper
     "#{action}_#{member.type.underscore}".to_sym
   end
 
-  def can_see_member_roles?(source:, user: nil)
-    return false unless user
-
-    user.is_admin? || source.members.exists?(user_id: user.id)
-  end
-
   def remove_member_message(member, user: nil)
     user = current_user if defined?(current_user)
 
diff --git a/app/views/shared/members/_member.html.haml b/app/views/shared/members/_member.html.haml
index c69d4cbfbe3..0191814849a 100644
--- a/app/views/shared/members/_member.html.haml
+++ b/app/views/shared/members/_member.html.haml
@@ -1,4 +1,5 @@
-- show_roles = local_assigns.fetch(:show_roles, true)
+- default_show_roles = can?(current_user, action_member_permission(:update, member), member) || can?(current_user, action_member_permission(:destroy, member), member)
+- show_roles = local_assigns.fetch(:show_roles, default_show_roles)
 - show_controls = local_assigns.fetch(:show_controls, true)
 - user = member.user
 
@@ -36,7 +37,7 @@
                   method: :post,
                   class: 'btn-xs btn'
 
-  - if show_roles && can_see_member_roles?(source: member.source, user: current_user)
+  - if show_roles
     %span.pull-right
       %strong= member.human_access
       - if show_controls
diff --git a/spec/helpers/members_helper_spec.rb b/spec/helpers/members_helper_spec.rb
index 0b1a76156e0..7998209b7b0 100644
--- a/spec/helpers/members_helper_spec.rb
+++ b/spec/helpers/members_helper_spec.rb
@@ -9,22 +9,6 @@ describe MembersHelper do
     it { expect(action_member_permission(:admin, group_member)).to eq :admin_group_member }
   end
 
-  describe '#can_see_member_roles?' do
-    let(:project) { create(:empty_project) }
-    let(:group) { create(:group) }
-    let(:user) { build(:user) }
-    let(:admin) { build(:user, :admin) }
-    let(:project_member) { create(:project_member, project: project) }
-    let(:group_member) { create(:group_member, group: group) }
-
-    it { expect(can_see_member_roles?(source: project, user: nil)).to be_falsy }
-    it { expect(can_see_member_roles?(source: group, user: nil)).to be_falsy }
-    it { expect(can_see_member_roles?(source: project, user: admin)).to be_truthy }
-    it { expect(can_see_member_roles?(source: group, user: admin)).to be_truthy }
-    it { expect(can_see_member_roles?(source: project, user: project_member.user)).to be_truthy }
-    it { expect(can_see_member_roles?(source: group, user: group_member.user)).to be_truthy }
-  end
-
   describe '#remove_member_message' do
     let(:requester) { build(:user) }
     let(:project) { create(:project) }
-- 
cgit v1.2.1