Merge branch 'security-contributed-projects-11-7' into 'security-11-7'

[11.7] Contributed projects info is still visible even user enable private profile See merge request gitlab/gitlabhq!2764 (cherry picked from commit 8bc7243251f23a9e4e12b49eb47f5c3e81ebe5eb) 912627a5 Fix contributed projects finder shown private info
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 16:52:10 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-24 17:04:53 +0300
commit: c00adf1040faaf42298a54b7a5d53076a1f75ae4 (patch)
tree: 6320c365c98f3d96b6c82ff6caf3cde111e41be4 /app
parent: b2218a51d2fa69bca28591fec335c19b6649c86d (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app/finders/contributed_projects_finder.rb b/app/finders/contributed_projects_finder.rb
index c1ef9dfefa7..f8c7f0c3167 100644
--- a/app/finders/contributed_projects_finder.rb
+++ b/app/finders/contributed_projects_finder.rb
@@ -14,6 +14,9 @@ class ContributedProjectsFinder < UnionFinder
   # Returns an ActiveRecord::Relation.
   # rubocop: disable CodeReuse/ActiveRecord
   def execute(current_user = nil)
+    # Do not show contributed projects if the user profile is private.
+    return Project.none unless can_read_profile?(current_user)
+
     segments = all_projects(current_user)
 
     find_union(segments, Project).includes(:namespace).order_id_desc
@@ -22,6 +25,10 @@ class ContributedProjectsFinder < UnionFinder
 
   private
 
+  def can_read_profile?(current_user)
+    Ability.allowed?(current_user, :read_user_profile, @user)
+  end
+
   def all_projects(current_user)
     projects = []
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 16:52:10 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-24 17:04:53 +0300
commit	c00adf1040faaf42298a54b7a5d53076a1f75ae4 (patch)
tree	6320c365c98f3d96b6c82ff6caf3cde111e41be4 /app
parent	b2218a51d2fa69bca28591fec335c19b6649c86d (diff)