• Sean McGivern's avatar
    Fix project member access for group links · db9979bc
    Sean McGivern authored
    `ProjectTeam#find_member` doesn't take group links into account. It was
    used in two places:
    
    1. An admin view - it can stay here.
    2. `ProjectTeam#member?`, which is often used to decide if a user has
       access to view something.
    
    This second part broke confidential issues viewing. `IssuesFinder` ends
    up delegating to `Project#authorized_for_user?`, which does consider
    group links, so users with access to the project via a group link could
    see confidential issues on the index page. However, `IssuesPolicy` used
    `ProjectTeam#member?`, so the same user couldn't view the issue when
    going to it directly.
    db9979bc
project_team.rb 6.69 KB