diff options
author | Sean McGivern <sean@gitlab.com> | 2017-06-23 12:50:33 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2017-06-30 10:33:45 +0100 |
commit | c400030d0f51c71f32990ab0ecfebfa245ed663e (patch) | |
tree | 549f4159fe8613490d91ed46d11823aa115fcd7e | |
parent | 20bb678d91715817f3da04c7a1b73db84295accd (diff) | |
download | gitlab-ce-c400030d0f51c71f32990ab0ecfebfa245ed663e.tar.gz |
Don't count any confidential issues for non-project-members
-rw-r--r-- | app/finders/issuable_finder.rb | 2 | ||||
-rw-r--r-- | app/finders/issues_finder.rb | 13 |
2 files changed, 9 insertions, 6 deletions
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb index 558f8b5e2e5..e8605f3d5b3 100644 --- a/app/finders/issuable_finder.rb +++ b/app/finders/issuable_finder.rb @@ -62,7 +62,7 @@ class IssuableFinder # grouping and counting within that query. # def count_by_state - count_params = params.merge(state: nil, sort: nil) + count_params = params.merge(state: nil, sort: nil, for_counting: true) labels_count = label_names.any? ? label_names.count : 1 finder = self.class.new(current_user, count_params) counts = Hash.new(0) diff --git a/app/finders/issues_finder.rb b/app/finders/issues_finder.rb index 328198c026a..b213a7aebfd 100644 --- a/app/finders/issues_finder.rb +++ b/app/finders/issues_finder.rb @@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder end def not_restricted_by_confidentiality - return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues? return Issue.all if user_can_see_all_confidential_issues? + return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues? Issue.where(' issues.confidential IS NOT TRUE @@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder end def user_can_see_all_confidential_issues? - return false unless current_user - return true if current_user.full_private_access? + return @user_can_see_all_confidential_issues = false if current_user.blank? + return @user_can_see_all_confidential_issues = true if current_user.full_private_access? - project? && + @user_can_see_all_confidential_issues = + project? && project && project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL end def user_cannot_see_confidential_issues? - current_user.blank? + return false if user_can_see_all_confidential_issues? + + current_user.blank? || params[:for_counting] end private |