diff options
author | Sean McGivern <sean@gitlab.com> | 2017-07-24 13:35:54 +0300 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2017-07-24 18:58:04 +0300 |
commit | ccac2abeba419f16029c40f29063f1812c9e159c (patch) | |
tree | 975ca2e9f3fc91fae1ce0c775c8c267256fa7480 /app | |
parent | f81ed493e1f02e5a197df3e2df9c5e42cb09e7ff (diff) |
Don't treat anonymous users as owners when group has pending invites
The `members` table can have entries where `user_id: nil`, because people can
invite group members by email. We never want to include those as members,
because it might cause confusion with the anonymous (logged out) user.
Diffstat (limited to 'app')
-rw-r--r-- | app/models/group.rb | 6 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 3 |
2 files changed, 7 insertions, 2 deletions
diff --git a/app/models/group.rb b/app/models/group.rb index dfa4e8adedd..bd5735ed82e 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -167,10 +167,14 @@ class Group < Namespace end def has_owner?(user) + return false unless user + members_with_parents.owners.where(user_id: user).any? end def has_master?(user) + return false unless user + members_with_parents.masters.where(user_id: user).any? end @@ -212,7 +216,7 @@ class Group < Namespace end def members_with_parents - GroupMember.non_request.where(source_id: ancestors.pluck(:id).push(id)) + GroupMember.active.where(source_id: ancestors.pluck(:id).push(id)).where.not(user_id: nil) end def users_with_parents diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index d27bbf2948c..0133091db57 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -10,7 +10,8 @@ class ProjectPolicy < BasePolicy desc "User is a project owner" condition :owner do - @user && project.owner == @user || (project.group && project.group.has_owner?(@user)) + (project.owner.present? && project.owner == @user) || + project.group&.has_owner?(@user) end desc "Project has public builds enabled" |