Commit 4d2a666c authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-contributed-projects' into 'master'

[master] Fix contributed projects info is still visible even user enable private profile

See merge request gitlab/gitlabhq!2743
parents 2f0050fb 7084d71e
......@@ -14,6 +14,9 @@ class ContributedProjectsFinder < UnionFinder
# Returns an ActiveRecord::Relation.
# rubocop: disable CodeReuse/ActiveRecord
def execute(current_user = nil)
# Do not show contributed projects if the user profile is private.
return Project.none unless can_read_profile?(current_user)
segments = all_projects(current_user)
find_union(segments, Project).includes(:namespace).order_id_desc
......@@ -22,6 +25,10 @@ class ContributedProjectsFinder < UnionFinder
private
def can_read_profile?(current_user)
Ability.allowed?(current_user, :read_user_profile, @user)
end
def all_projects(current_user)
projects = []
......
---
title: Fix contributed projects info still visible when user enable private profile
merge_request:
author:
type: security
......@@ -206,6 +206,38 @@ describe UsersController do
end
end
describe 'GET #contributed' do
let(:project) { create(:project, :public) }
let(:current_user) { create(:user) }
before do
sign_in(current_user)
project.add_developer(public_user)
project.add_developer(private_user)
end
context 'with public profile' do
it 'renders contributed projects' do
create(:push_event, project: project, author: public_user)
get :contributed, params: { username: public_user.username }
expect(assigns[:contributed_projects]).not_to be_empty
end
end
context 'with private profile' do
it 'does not render contributed projects' do
create(:push_event, project: project, author: private_user)
get :contributed, params: { username: private_user.username }
expect(assigns[:contributed_projects]).to be_empty
end
end
end
describe 'GET #snippets' do
before do
sign_in(user)
......
......@@ -31,4 +31,16 @@ describe ContributedProjectsFinder do
it { is_expected.to match_array([private_project, internal_project, public_project]) }
end
context 'user with private profile' do
it 'does not return contributed projects' do
private_user = create(:user, private_profile: true)
public_project.add_maintainer(private_user)
create(:push_event, project: public_project, author: private_user)
projects = described_class.new(private_user).execute(current_user)
expect(projects).to be_empty
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment