diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 16:52:10 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 17:04:53 +0300 |
commit | c00adf1040faaf42298a54b7a5d53076a1f75ae4 (patch) | |
tree | 6320c365c98f3d96b6c82ff6caf3cde111e41be4 /app | |
parent | b2218a51d2fa69bca28591fec335c19b6649c86d (diff) |
Merge branch 'security-contributed-projects-11-7' into 'security-11-7'
[11.7] Contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2764
(cherry picked from commit 8bc7243251f23a9e4e12b49eb47f5c3e81ebe5eb)
912627a5 Fix contributed projects finder shown private info
Diffstat (limited to 'app')
-rw-r--r-- | app/finders/contributed_projects_finder.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/app/finders/contributed_projects_finder.rb b/app/finders/contributed_projects_finder.rb index c1ef9dfefa7..f8c7f0c3167 100644 --- a/app/finders/contributed_projects_finder.rb +++ b/app/finders/contributed_projects_finder.rb @@ -14,6 +14,9 @@ class ContributedProjectsFinder < UnionFinder # Returns an ActiveRecord::Relation. # rubocop: disable CodeReuse/ActiveRecord def execute(current_user = nil) + # Do not show contributed projects if the user profile is private. + return Project.none unless can_read_profile?(current_user) + segments = all_projects(current_user) find_union(segments, Project).includes(:namespace).order_id_desc @@ -22,6 +25,10 @@ class ContributedProjectsFinder < UnionFinder private + def can_read_profile?(current_user) + Ability.allowed?(current_user, :read_user_profile, @user) + end + def all_projects(current_user) projects = [] |