Commit c400030d authored by Sean McGivern's avatar Sean McGivern

Don't count any confidential issues for non-project-members

parent 20bb678d
...@@ -62,7 +62,7 @@ class IssuableFinder ...@@ -62,7 +62,7 @@ class IssuableFinder
# grouping and counting within that query. # grouping and counting within that query.
# #
def count_by_state def count_by_state
count_params = params.merge(state: nil, sort: nil) count_params = params.merge(state: nil, sort: nil, for_counting: true)
labels_count = label_names.any? ? label_names.count : 1 labels_count = label_names.any? ? label_names.count : 1
finder = self.class.new(current_user, count_params) finder = self.class.new(current_user, count_params)
counts = Hash.new(0) counts = Hash.new(0)
......
...@@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder ...@@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder
end end
def not_restricted_by_confidentiality def not_restricted_by_confidentiality
return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
return Issue.all if user_can_see_all_confidential_issues? return Issue.all if user_can_see_all_confidential_issues?
return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
Issue.where(' Issue.where('
issues.confidential IS NOT TRUE issues.confidential IS NOT TRUE
...@@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder ...@@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder
end end
def user_can_see_all_confidential_issues? def user_can_see_all_confidential_issues?
return false unless current_user return @user_can_see_all_confidential_issues = false if current_user.blank?
return true if current_user.full_private_access? return @user_can_see_all_confidential_issues = true if current_user.full_private_access?
@user_can_see_all_confidential_issues =
project? && project? &&
project && project &&
project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL
end end
def user_cannot_see_confidential_issues? def user_cannot_see_confidential_issues?
current_user.blank? return false if user_can_see_all_confidential_issues?
current_user.blank? || params[:for_counting]
end end
private private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment