Only allow user to see participants from groups they have access to.

e62b5a2b · Douwe Maan · 756e7aa8 · e62b5a2b · e62b5a2b · e62b5a2b
Commit e62b5a2b authored Mar 27, 2015 by Douwe Maan
5 changed files
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -118,16 +118,16 @@ module Issuable
  end

  # Return all users participating on the discussion
-  def participants
+  def participants(current_user = self.author)
    users = []
    users << author
    users << assignee if is_assigned?
    mentions = []
-    mentions << self.mentioned_users
+    mentions << self.mentioned_users(current_user)

    notes.each do |note|
      users << note.author
-      mentions << note.mentioned_users
+      mentions << note.mentioned_users(current_user)
    end

    users.concat(mentions.reduce([], :|)).uniq
@@ -140,7 +140,7 @@ module Issuable
      return subscription.subscribed
    end

-    participants.include?(user)
+    participants(user).include?(user)
  end

  def toggle_subscription(user)

--- a/app/models/concerns/mentionable.rb
+++ b/app/models/concerns/mentionable.rb
@@ -42,10 +42,10 @@ module Mentionable
    Note.cross_reference_exists?(target, local_reference)
  end

-  def mentioned_users
+  def mentioned_users(current_user = nil)
    return [] if mentionable_text.blank?

-    ext = Gitlab::ReferenceExtractor.new(self.project)
+    ext = Gitlab::ReferenceExtractor.new(self.project, current_user)
    ext.analyze(text)
    ext.users.uniq
  end

--- a/app/services/projects/participants_service.rb
+++ b/app/services/projects/participants_service.rb
@@ -21,10 +21,10 @@ module Projects
      users = case type
              when "Issue"
                issue = @project.issues.find_by_iid(id)
-                issue ? issue.participants : []
+                issue ? issue.participants(user) : []
              when "MergeRequest"
                merge_request = @project.merge_requests.find_by_iid(id)
-                merge_request ? merge_request.participants : []
+                merge_request ? merge_request.participants(user) : []
              when "Commit"
                author_ids = Note.for_commit_id(id).pluck(:author_id).uniq
                User.where(id: author_ids)

--- a/app/views/projects/issues/_discussion.html.haml
+++ b/app/views/projects/issues/_discussion.html.haml
@@ -9,8 +9,8 @@
    .votes-holder.pull-right
      #votes= render 'votes/votes_block', votable: @issue
    .participants
-      %span= pluralize(@issue.participants.count, 'participant')
-      - @issue.participants.each do |participant|
+      %span= pluralize(@issue.participants(current_user).count, 'participant')
+      - @issue.participants(current_user).each do |participant|
        = link_to_member(@project, participant, name: false, size: 24)
    .voting_notes#notes= render "projects/notes/notes_with_form"
  %aside.col-md-3

--- a/app/views/projects/merge_requests/show/_participants.html.haml
+++ b/app/views/projects/merge_requests/show/_participants.html.haml
 .participants
-  %span #{@merge_request.participants.count} participants
-  - @merge_request.participants.each do |participant|
+  %span #{@merge_request.participants(current_user).count} participants
+  - @merge_request.participants(current_user).each do |participant|
    = link_to_member(@project, participant, name: false, size: 24)