From c2dd4239c939e003dfe569196ec2d39e2478606e Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 1 Aug 2017 10:42:54 -0700
Subject: short-circuit if there is no policy, and add :read_project check

---
 app/models/notification_recipient.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'app/models')

diff --git a/app/models/notification_recipient.rb b/app/models/notification_recipient.rb
index 28ac22da6e2..837b62ec0cb 100644
--- a/app/models/notification_recipient.rb
+++ b/app/models/notification_recipient.rb
@@ -76,10 +76,13 @@ class NotificationRecipient
   end
 
   def has_access?
-    return false unless user.can?(:receive_notifications)
-    return true unless @read_ability
-
     DeclarativePolicy.subject_scope do
+      return false unless user.can?(:receive_notifications)
+      return false if @project && !user.can?(:read_project, @project)
+
+      return true unless @read_ability
+      return true unless DeclarativePolicy.has_policy?(@target)
+
       user.can?(@read_ability, @target)
     end
   end
-- 
cgit v1.2.1