Commit 07b38c3b authored by Felipe Artur's avatar Felipe Artur

Code fixes

parent 147879ae
class Projects::ProjectMembersController < Projects::ApplicationController class Projects::ProjectMembersController < Projects::ApplicationController
# Authorize # Authorize
before_action :authorize_admin_project_member!, except: :leave before_action :authorize_admin_project_member!, except: :leave
before_action :authorize_read_project_members, only: :index
def index def index
@project_members = @project.project_members @project_members = @project.project_members
...@@ -113,10 +112,4 @@ class Projects::ProjectMembersController < Projects::ApplicationController ...@@ -113,10 +112,4 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def member_params def member_params
params.require(:project_member).permit(:user_id, :access_level) params.require(:project_member).permit(:user_id, :access_level)
end end
private
def authorize_read_project_members
can?(current_user, :read_project_members, @project)
end
end end
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
before_action :set_user, except: [:show] before_action :user
before_action :authorize_read_user!, only: [:show] before_action :authorize_read_user!, only: [:show]
def show def show
...@@ -77,26 +77,25 @@ class UsersController < ApplicationController ...@@ -77,26 +77,25 @@ class UsersController < ApplicationController
private private
def authorize_read_user! def authorize_read_user!
set_user render_404 unless can?(current_user, :read_user, user)
render_404 unless can?(current_user, :read_user, @user)
end end
def set_user def user
@user = User.find_by_username!(params[:username]) @user ||= User.find_by_username!(params[:username])
end end
def contributed_projects def contributed_projects
ContributedProjectsFinder.new(@user).execute(current_user) ContributedProjectsFinder.new(user).execute(current_user)
end end
def contributions_calendar def contributions_calendar
@contributions_calendar ||= Gitlab::ContributionsCalendar. @contributions_calendar ||= Gitlab::ContributionsCalendar.
new(contributed_projects, @user) new(contributed_projects, user)
end end
def load_events def load_events
# Get user activity feed for projects common for both users # Get user activity feed for projects common for both users
@events = @user.recent_events. @events = user.recent_events.
merge(projects_for_current_user). merge(projects_for_current_user).
references(:project). references(:project).
with_associations. with_associations.
...@@ -105,16 +104,16 @@ class UsersController < ApplicationController ...@@ -105,16 +104,16 @@ class UsersController < ApplicationController
def load_projects def load_projects
@projects = @projects =
PersonalProjectsFinder.new(@user).execute(current_user) PersonalProjectsFinder.new(user).execute(current_user)
.page(params[:page]) .page(params[:page])
end end
def load_contributed_projects def load_contributed_projects
@contributed_projects = contributed_projects.joined(@user) @contributed_projects = contributed_projects.joined(user)
end end
def load_groups def load_groups
@groups = JoinedGroupsFinder.new(@user).execute(current_user) @groups = JoinedGroupsFinder.new(user).execute(current_user)
end end
def projects_for_current_user def projects_for_current_user
......
class Ability class Ability
class << self class << self
def allowed(user, subject) def allowed(user, subject)
return anonymous_abilities(user, subject) if user.nil? return anonymous_abilities(user, subject) if user.nil?
...@@ -58,7 +57,6 @@ class Ability ...@@ -58,7 +57,6 @@ class Ability
:read_label, :read_label,
:read_milestone, :read_milestone,
:read_project_snippet, :read_project_snippet,
:read_project_member,
:read_merge_request, :read_merge_request,
:read_note, :read_note,
:read_commit_status, :read_commit_status,
...@@ -71,8 +69,6 @@ class Ability ...@@ -71,8 +69,6 @@ class Ability
# Allow to read issues by anonymous user if issue is not confidential # Allow to read issues by anonymous user if issue is not confidential
rules << :read_issue unless subject.is_a?(Issue) && subject.confidential? rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?
rules << :read_project_member unless restricted_public_level?
rules - project_disabled_features_rules(project) rules - project_disabled_features_rules(project)
else else
[] []
...@@ -96,9 +92,8 @@ class Ability ...@@ -96,9 +92,8 @@ class Ability
end end
if group if group
rules << [:read_group] if group.public? rules << :read_group if group.public?
rules << :read_group_members unless restricted_public_level?
rules << [:read_group_members] unless restricted_public_level?
end end
rules rules
...@@ -156,7 +151,6 @@ class Ability ...@@ -156,7 +151,6 @@ class Ability
rules -= project_archived_rules rules -= project_archived_rules
end end
rules << :read_project_members
rules - project_disabled_features_rules(project) rules - project_disabled_features_rules(project)
end end
end end
......
...@@ -77,7 +77,7 @@ ...@@ -77,7 +77,7 @@
Merge Requests Merge Requests
%span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count) %span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
- if project_nav_tab?(:settings) && can?(current_user, :read_project_members, @project) - if project_nav_tab?(:settings)
= nav_link(controller: [:project_members, :teams]) do = nav_link(controller: [:project_members, :teams]) do
= link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do = link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do
= icon('users fw') = icon('users fw')
......
...@@ -41,7 +41,7 @@ describe UsersController do ...@@ -41,7 +41,7 @@ describe UsersController do
end end
end end
context 'When public visibility level is restricted' do context 'when public visibility level is restricted' do
before do before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment