Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete' into 'master'

Hide private members in project member autocomplete See merge request gitlab/gitlabhq!3212
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-29 18:58:31 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-29 18:58:31 +0300
commit: b0f939a79fe16ff760d6e589c8f9cd71c0fa1da7 (patch)
tree: 0b41b378794f136d1b7855b327fdb555dbe1eec5 /app/services
parent: 8d0b026ac70cbb52afbf0d61b88925c5d1d33d94 (diff)
parent: 506bf4281795d5d05c80b0bef59511120dbc8d81 (diff)
1 files changed, 55 insertions, 2 deletions
diff --git a/app/services/projects/participants_service.rb b/app/services/projects/participants_service.rb
index 7080f388e53..1cd81fe37c7 100644
--- a/app/services/projects/participants_service.rb
+++ b/app/services/projects/participants_service.rb
@@ -7,16 +7,69 @@ module Projects
     def execute(noteable)
       @noteable = noteable
 
-      participants = noteable_owner + participants_in_noteable + all_members + groups + project_members
+      participants =
+        noteable_owner +
+        participants_in_noteable +
+        all_members +
+        groups +
+        project_members
+
       participants.uniq
     end
 
     def project_members
-      @project_members ||= sorted(project.team.members)
+      @project_members ||= sorted(get_project_members)
+    end
+
+    def get_project_members
+      members = Member.from_union([project_members_through_ancestral_groups,
+                                   project_members_through_invited_groups,
+                                   individual_project_members])
+
+      User.id_in(members.select(:user_id))
     end
 
     def all_members
       [{ username: "all", name: "All Project and Group Members", count: project_members.count }]
     end
+
+    private
+
+    def project_members_through_invited_groups
+      groups_with_ancestors_ids = Gitlab::ObjectHierarchy
+        .new(visible_groups)
+        .base_and_ancestors
+        .pluck_primary_key
+
+      GroupMember
+        .active_without_invites_and_requests
+        .with_source_id(groups_with_ancestors_ids)
+    end
+
+    def visible_groups
+      visible_groups = project.invited_groups
+
+      unless project_owner?
+        visible_groups = visible_groups.public_or_visible_to_user(current_user)
+      end
+
+      visible_groups
+    end
+
+    def project_members_through_ancestral_groups
+      project.group.present? ? project.group.members_with_parents : Member.none
+    end
+
+    def individual_project_members
+      project.project_members
+    end
+
+    def project_owner?
+      if project.group.present?
+        project.group.owners.include?(current_user)
+      else
+        project.namespace.owner == current_user
+      end
+    end
   end
 end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-29 18:58:31 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-29 18:58:31 +0300
commit	b0f939a79fe16ff760d6e589c8f9cd71c0fa1da7 (patch)
tree	0b41b378794f136d1b7855b327fdb555dbe1eec5 /app/services
parent	8d0b026ac70cbb52afbf0d61b88925c5d1d33d94 (diff)
parent	506bf4281795d5d05c80b0bef59511120dbc8d81 (diff)