Merge branch 'fix-ldap-group-info-leak' into 'master'

Hide the info mentioning the linked LDAP groups if you are not logged in. As mentioned by a customer here: https://gitlab.zendesk.com/agent/tickets/15466 When a group contains public projects, it is possible to get at it's members without being logged in, **but** this page also leaks information if it is synched with LDAP. The `DN` of the linked groups will be shown: ![Screen_Shot_2016-02-12_at_5.16.29_PM](/uploads/f5339db6c1a57e4cb7f1ef0e323e0604/Screen_Shot_2016-02-12_at_5.16.29_PM.png) This MR fixes that in that it only shows that information if the user is logged in. /cc @DouweM See merge request !180

Merge branch 'fix-ldap-group-info-leak' into 'master'
Hide the info mentioning the linked LDAP groups if you are not logged in. As mentioned by a customer here: https://gitlab.zendesk.com/agent/tickets/15466 When a group contains public projects, it is possible to get at it's members without being logged in, **but** this page also leaks information if it is synched with LDAP. The `DN` of the linked groups will be shown: ![Screen_Shot_2016-02-12_at_5.16.29_PM](/uploads/f5339db6c1a57e4cb7f1ef0e323e0604/Screen_Shot_2016-02-12_at_5.16.29_PM.png) This MR fixes that in that it only shows that information if the user is logged in. /cc @DouweM See merge request !180
9c0b1aa1 · Patricio Cano · 55fcd3db · cd501039 · 9c0b1aa1
Commit 9c0b1aa1 authored Feb 17, 2016 by Patricio Cano
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

app/views/groups/group_members/index.html.haml app/views/groups/group_members/index.html.haml +3 -3

No files found.
--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -2,7 +2,7 @@
 - header_title group_title(@group, "Members", group_group_members_path(@group))
 .group-members-page.prepend-top-default
-  - if current_user && current_user.can?(:admin_group_member, @group)
+  - if current_user && can?(current_user, :admin_group_member, @group)
    .panel.panel-default
      .panel-heading
        Add new user to group
@@ -13,7 +13,7 @@
        .new-group-member-holder
          = render "new_group_member"
-  - if @group.ldap_synced?
+  - if current_user && @group.ldap_synced?
    .bs-callout.bs-callout-info
      The members of this group are managed using LDAP and cannot be added, changed or removed here.
      Because LDAP permissions in GitLab get updated one user at a time and because GitLab caches LDAP check results, changes on your LDAP server or in this group's LDAP sync settings may take up to #{Gitlab.config.ldap['sync_time']}s to show in the list below.
@@ -25,7 +25,7 @@
            are given
            %code= ldap_group_link.human_access
            access.
-      - if current_user && current_user.can?(:admin_group, @group)
+      - if can?(current_user, :admin_group_member, @group)
        = form_tag(reset_access_group_ldap_path(@group), method: :put, class: 'inline') do
          = button_to 'Clear LDAP permission cache', '#', class: "btn btn-remove js-confirm-danger",
            data: { "confirm-danger-message" => clear_ldap_permission_cache_message,