Merge branch 'security-6881-project-group-approvers-leaks-private-group-info-ce' into 'master'

[master] CE: Project group approvers leaks private group info See merge request gitlab/gitlabhq!2488
author: Bob Van Landuyt <bob@gitlab.com> 2018-10-01 19:45:01 +0300
committer: Bob Van Landuyt <bob@gitlab.com> 2018-10-01 19:45:01 +0300
commit: b93f1d3cf8d5325c9fc9283afacfca069ddc3d62 (patch)
tree: f4b896235f33814b874a8e020d31e2669ae2d8a4 /app/finders
parent: d4e54b7ea68b5f9a687d23e86be6935762b9fc51 (diff)
parent: 487ac98a2a7cebb1bdef3a5038c926c56380881c (diff)
1 files changed, 4 insertions, 15 deletions
diff --git a/app/finders/joined_groups_finder.rb b/app/finders/joined_groups_finder.rb
index 18cc6891ca4..4d8128dd824 100644
--- a/app/finders/joined_groups_finder.rb
+++ b/app/finders/joined_groups_finder.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class JoinedGroupsFinder < UnionFinder
+class JoinedGroupsFinder
   def initialize(user)
     @user = user
   end
@@ -8,19 +8,8 @@ class JoinedGroupsFinder < UnionFinder
   # Finds the groups of the source user, optionally limited to those visible to
   # the current user.
   def execute(current_user = nil)
-    segments = all_groups(current_user)
-
-    find_union(segments, Group).order_id_desc
-  end
-
-  private
-
-  def all_groups(current_user)
-    groups = []
-
-    groups << @user.authorized_groups.visible_to_user(current_user) if current_user
-    groups << @user.authorized_groups.public_to_user(current_user)
-
-    groups
+    @user.authorized_groups
+      .public_or_visible_to_user(current_user)
+      .order_id_desc
   end
 end
author	Bob Van Landuyt <bob@gitlab.com>	2018-10-01 19:45:01 +0300
committer	Bob Van Landuyt <bob@gitlab.com>	2018-10-01 19:45:01 +0300
commit	b93f1d3cf8d5325c9fc9283afacfca069ddc3d62 (patch)
tree	f4b896235f33814b874a8e020d31e2669ae2d8a4 /app/finders
parent	d4e54b7ea68b5f9a687d23e86be6935762b9fc51 (diff)
parent	487ac98a2a7cebb1bdef3a5038c926c56380881c (diff)