diff options
| author | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-06-06 16:13:31 -0300 |
|---|---|---|
| committer | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-06-13 19:32:00 -0300 |
| commit | b56c45675019baaaf47615d51c08d5caa0734ad3 (patch) | |
| tree | b933c21ab49a745a6839aa1127c237ffe7a3a3fb /app/models/issue.rb | |
| parent | af8500f43010f42176b2ec1814f0fe7248258b05 (diff) | |
| download | gitlab-ce-b56c45675019baaaf47615d51c08d5caa0734ad3.tar.gz | |
Project members with guest role can't access confidential issues
Diffstat (limited to 'app/models/issue.rb')
| -rw-r--r-- | app/models/issue.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb index 235922710ad..6ecb3535359 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -54,7 +54,15 @@ class Issue < ActiveRecord::Base return where(confidential: false) if user.blank? return all if user.admin? - where('issues.confidential = false OR (issues.confidential = true AND (issues.author_id = :user_id OR issues.assignee_id = :user_id OR issues.project_id IN(:project_ids)))', user_id: user.id, project_ids: user.authorized_projects.select(:id)) + where(' + issues.confidential IS NULL + OR issues.confidential IS FALSE + OR (issues.confidential = TRUE + AND (issues.author_id = :user_id + OR issues.assignee_id = :user_id + OR issues.project_id IN(:project_ids)))', + user_id: user.id, + project_ids: user.authorized_projects(Gitlab::Access::REPORTER).select(:id)) end def self.reference_prefix |