diff options
| author | Sean McGivern <sean@gitlab.com> | 2016-10-27 17:59:00 +0300 |
|---|---|---|
| committer | Sean McGivern <sean@gitlab.com> | 2016-10-28 11:20:55 +0300 |
| commit | db9979bcad17e46ef2b151b018c5f7769d33ca77 (patch) | |
| tree | ec082f5d545879bd32661809423346669f291b11 /app/models/project_team.rb | |
| parent | 20a7db4483904c7280093a0309a63dfd1b7ef72e (diff) | |
Fix project member access for group links
`ProjectTeam#find_member` doesn't take group links into account. It was
used in two places:
1. An admin view - it can stay here.
2. `ProjectTeam#member?`, which is often used to decide if a user has
access to view something.
This second part broke confidential issues viewing. `IssuesFinder` ends
up delegating to `Project#authorized_for_user?`, which does consider
group links, so users with access to the project via a group link could
see confidential issues on the index page. However, `IssuesPolicy` used
`ProjectTeam#member?`, so the same user couldn't view the issue when
going to it directly.
Diffstat (limited to 'app/models/project_team.rb')
| -rw-r--r-- | app/models/project_team.rb | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/app/models/project_team.rb b/app/models/project_team.rb index 79d041d2775..a6e911df9bd 100644 --- a/app/models/project_team.rb +++ b/app/models/project_team.rb @@ -125,14 +125,8 @@ class ProjectTeam max_member_access(user.id) == Gitlab::Access::MASTER end - def member?(user, min_member_access = nil) - member = !!find_member(user.id) - - if min_member_access - member && max_member_access(user.id) >= min_member_access - else - member - end + def member?(user, min_member_access = Gitlab::Access::GUEST) + max_member_access(user.id) >= min_member_access end def human_max_access(user_id) |