diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-06-23 12:50:33 +0100 | 
|---|---|---|
| committer | Sean McGivern <sean@gitlab.com> | 2017-06-30 10:33:45 +0100 | 
| commit | c400030d0f51c71f32990ab0ecfebfa245ed663e (patch) | |
| tree | 549f4159fe8613490d91ed46d11823aa115fcd7e | |
| parent | 20bb678d91715817f3da04c7a1b73db84295accd (diff) | |
| download | gitlab-ce-c400030d0f51c71f32990ab0ecfebfa245ed663e.tar.gz | |
Don't count any confidential issues for non-project-members
| -rw-r--r-- | app/finders/issuable_finder.rb | 2 | ||||
| -rw-r--r-- | app/finders/issues_finder.rb | 13 | 
2 files changed, 9 insertions, 6 deletions
| diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb index 558f8b5e2e5..e8605f3d5b3 100644 --- a/app/finders/issuable_finder.rb +++ b/app/finders/issuable_finder.rb @@ -62,7 +62,7 @@ class IssuableFinder    # grouping and counting within that query.    #    def count_by_state -    count_params = params.merge(state: nil, sort: nil) +    count_params = params.merge(state: nil, sort: nil, for_counting: true)      labels_count = label_names.any? ? label_names.count : 1      finder = self.class.new(current_user, count_params)      counts = Hash.new(0) diff --git a/app/finders/issues_finder.rb b/app/finders/issues_finder.rb index 328198c026a..b213a7aebfd 100644 --- a/app/finders/issues_finder.rb +++ b/app/finders/issues_finder.rb @@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder    end    def not_restricted_by_confidentiality -    return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?      return Issue.all if user_can_see_all_confidential_issues? +    return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?      Issue.where('        issues.confidential IS NOT TRUE @@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder    end    def user_can_see_all_confidential_issues? -    return false unless current_user -    return true if current_user.full_private_access? +    return @user_can_see_all_confidential_issues = false if current_user.blank? +    return @user_can_see_all_confidential_issues = true if current_user.full_private_access? -    project? && +    @user_can_see_all_confidential_issues = +      project? &&        project &&        project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL    end    def user_cannot_see_confidential_issues? -    current_user.blank? +    return false if user_can_see_all_confidential_issues? + +    current_user.blank? || params[:for_counting]    end    private | 
