diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:57 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:53:57 +0300 |
commit | fe60a1d7a98c4ad476bfabf41cf68363445862f0 (patch) | |
tree | 7636b599feb21cfe94e8f46533dd1806c4706e0b /app | |
parent | c483d1e2984b13c6f9ff1fdfd761be750d84e25c (diff) | |
parent | b554257b95535d25ad90ef84c87369ca5b63eeba (diff) |
Merge branch 'security-ag-hide-private-members-in-project-member-autocomplete-12-2' into '12-2-stable'
Hide private members in project member autocomplete
See merge request gitlab/gitlabhq!3448
Diffstat (limited to 'app')
-rw-r--r-- | app/models/member.rb | 1 | ||||
-rw-r--r-- | app/services/projects/participants_service.rb | 57 |
2 files changed, 56 insertions, 2 deletions
diff --git a/app/models/member.rb b/app/models/member.rb index dbae1076670..2dd3e7b5cec 100644 --- a/app/models/member.rb +++ b/app/models/member.rb @@ -8,6 +8,7 @@ class Member < ApplicationRecord include Gitlab::Access include Presentable include Gitlab::Utils::StrongMemoize + include FromUnion attr_accessor :raw_invite_token diff --git a/app/services/projects/participants_service.rb b/app/services/projects/participants_service.rb index 7080f388e53..1cd81fe37c7 100644 --- a/app/services/projects/participants_service.rb +++ b/app/services/projects/participants_service.rb @@ -7,16 +7,69 @@ module Projects def execute(noteable) @noteable = noteable - participants = noteable_owner + participants_in_noteable + all_members + groups + project_members + participants = + noteable_owner + + participants_in_noteable + + all_members + + groups + + project_members + participants.uniq end def project_members - @project_members ||= sorted(project.team.members) + @project_members ||= sorted(get_project_members) + end + + def get_project_members + members = Member.from_union([project_members_through_ancestral_groups, + project_members_through_invited_groups, + individual_project_members]) + + User.id_in(members.select(:user_id)) end def all_members [{ username: "all", name: "All Project and Group Members", count: project_members.count }] end + + private + + def project_members_through_invited_groups + groups_with_ancestors_ids = Gitlab::ObjectHierarchy + .new(visible_groups) + .base_and_ancestors + .pluck_primary_key + + GroupMember + .active_without_invites_and_requests + .with_source_id(groups_with_ancestors_ids) + end + + def visible_groups + visible_groups = project.invited_groups + + unless project_owner? + visible_groups = visible_groups.public_or_visible_to_user(current_user) + end + + visible_groups + end + + def project_members_through_ancestral_groups + project.group.present? ? project.group.members_with_parents : Member.none + end + + def individual_project_members + project.project_members + end + + def project_owner? + if project.group.present? + project.group.owners.include?(current_user) + else + project.namespace.owner == current_user + end + end end end |