Project members with guest role can't access confidential issues

author: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-06-06 22:13:31 +0300
committer: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-06-14 01:32:00 +0300
commit: b56c45675019baaaf47615d51c08d5caa0734ad3 (patch)
tree: b933c21ab49a745a6839aa1127c237ffe7a3a3fb /app/models/issue.rb
parent: af8500f43010f42176b2ec1814f0fe7248258b05 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 235922710ad..6ecb3535359 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -54,7 +54,15 @@ class Issue < ActiveRecord::Base
     return where(confidential: false) if user.blank?
     return all if user.admin?
 
-    where('issues.confidential = false OR (issues.confidential = true AND (issues.author_id = :user_id OR issues.assignee_id = :user_id OR issues.project_id IN(:project_ids)))', user_id: user.id, project_ids: user.authorized_projects.select(:id))
+    where('
+      issues.confidential IS NULL
+      OR issues.confidential IS FALSE
+      OR (issues.confidential = TRUE
+        AND (issues.author_id = :user_id
+          OR issues.assignee_id = :user_id
+          OR issues.project_id IN(:project_ids)))',
+      user_id: user.id,
+      project_ids: user.authorized_projects(Gitlab::Access::REPORTER).select(:id))
   end
 
   def self.reference_prefix
author	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-06-06 22:13:31 +0300
committer	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-06-14 01:32:00 +0300
commit	b56c45675019baaaf47615d51c08d5caa0734ad3 (patch)
tree	b933c21ab49a745a6839aa1127c237ffe7a3a3fb /app/models/issue.rb
parent	af8500f43010f42176b2ec1814f0fe7248258b05 (diff)