Restrict user profiles based on restricted visibility levels

b05f0a48 · Felipe Artur · 5ae4fd21 · b05f0a48 · b05f0a48
Commit b05f0a48 authored Mar 24, 2016 by Felipe Artur
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

app/controllers/users_controller.rb app/controllers/users_controller.rb +4 -0

app/models/user.rb app/models/user.rb +4 -0

No files found.
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
 class UsersController < ApplicationController
  skip_before_action :authenticate_user!
  before_action :set_user
+  before_filter :authorize_read_user, only: [:show]
  def show
    respond_to do |format|
@@ -74,6 +75,9 @@ class UsersController < ApplicationController
  end
  private
+  def authorize_read_user
+    render_404 unless @user.public?
+  end
  def set_user
    @user = User.find_by_username!(params[:username])

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,6 +835,10 @@ class User < ActiveRecord::Base
    notification_settings.find_or_initialize_by(source: source)
  end
+  def public?
+    current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+  end
  private
  def projects_union