diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 16:51:18 +0300 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 17:04:09 +0300 |
| commit | 6800906a3d698f3493a81f65d1fbb7ae8d7ee5f3 (patch) | |
| tree | e4a12f946ef9e3f8d16fdb6384ce5fc2d40cff58 /app | |
| parent | a3dfd6acb94465b566800c3669decbe384caf478 (diff) | |
Merge branch 'security-project-move-users-11-7' into 'security-11-7'
[11.7] Sent notification only to authorized users
See merge request gitlab/gitlabhq!2856
(cherry picked from commit 578b8f124aa3edc2e3d2b937b5f9e842aec6eaef)
e9f82b57 Sent notification only to authorized users
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/member.rb | 2 | ||||
| -rw-r--r-- | app/models/project_team.rb | 12 | ||||
| -rw-r--r-- | app/services/notification_service.rb | 3 |
3 files changed, 16 insertions, 1 deletions
diff --git a/app/models/member.rb b/app/models/member.rb index 9fc95ea00c3..82d207b79de 100644 --- a/app/models/member.rb +++ b/app/models/member.rb @@ -84,6 +84,8 @@ class Member < ActiveRecord::Base scope :order_recent_sign_in, -> { left_join_users.reorder(Gitlab::Database.nulls_last_order('users.last_sign_in_at', 'DESC')) } scope :order_oldest_sign_in, -> { left_join_users.reorder(Gitlab::Database.nulls_last_order('users.last_sign_in_at', 'ASC')) } + scope :on_project_and_ancestors, ->(project) { where(source: [project] + project.ancestors) } + before_validation :generate_invite_token, on: :create, if: -> (member) { member.invite_email.present? } after_create :send_invite, if: :invite?, unless: :importing? diff --git a/app/models/project_team.rb b/app/models/project_team.rb index 33bc6a561f9..aeba2843e5d 100644 --- a/app/models/project_team.rb +++ b/app/models/project_team.rb @@ -74,6 +74,14 @@ class ProjectTeam end alias_method :users, :members + # `members` method uses project_authorizations table which + # is updated asynchronously, on project move it still contains + # old members who may not have access to the new location, + # so we filter out only members of project or project's group + def members_in_project_and_ancestors + members.where(id: member_user_ids) + end + def guests @guests ||= fetch_members(Gitlab::Access::GUEST) end @@ -191,4 +199,8 @@ class ProjectTeam def group project.group end + + def member_user_ids + Member.on_project_and_ancestors(project).select(:user_id) + end end diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb index e1cf327209b..1a65561dd70 100644 --- a/app/services/notification_service.rb +++ b/app/services/notification_service.rb @@ -373,7 +373,8 @@ class NotificationService end def project_was_moved(project, old_path_with_namespace) - recipients = notifiable_users(project.team.members, :mention, project: project) + recipients = project.private? ? project.team.members_in_project_and_ancestors : project.team.members + recipients = notifiable_users(recipients, :mention, project: project) recipients.each do |recipient| mailer.project_was_moved_email( |