9 files changed, 66 insertions, 42 deletions

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 3063d299b1a..9abf08d0e19 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -150,7 +150,7 @@ class Admin::UsersController < Admin::ApplicationController
       :email, :remember_me, :bio, :name, :username,
       :skype, :linkedin, :twitter, :website_url, :color_scheme_id, :theme_id, :force_random_password,
       :extern_uid, :provider, :password_expires_at, :avatar, :hide_no_ssh_key, :hide_no_password,
-      :projects_limit, :can_create_group, :admin, :key_id
+      :projects_limit, :can_create_group, :admin, :key_id, :external
     )
   end
 
diff --git a/app/finders/projects_finder.rb b/app/finders/projects_finder.rb
index 2c55f088594..3a5fc5b5907 100644
--- a/app/finders/projects_finder.rb
+++ b/app/finders/projects_finder.rb
@@ -40,25 +40,26 @@ class ProjectsFinder
   private
 
   def group_projects(current_user, group)
-    if current_user
-      [
-        group_projects_for_user(current_user, group),
-        group.projects.public_and_internal_only,
-        group.shared_projects.visible_to_user(current_user)
-      ]
+    return [group.projects.public_only] unless current_user
+
+    user_group_projects = [
+       group_projects_for_user(current_user, group),
+       group.shared_projects.visible_to_user(current_user)
+    ]
+    if current_user.external?
+      user_group_projects << group.projects.public_only
     else
-      [group.projects.public_only]
+      user_group_projects << group.projects.public_and_internal_only
     end
   end
 
   def all_projects(current_user)
-    if current_user
-      [
-        current_user.authorized_projects,
-        public_and_internal_projects
-      ]
+    return [public_projects] unless current_user
+
+    if current_user.external?
+      [current_user.authorized_projects, public_projects]
     else
-      [Project.public_only]
+      [current_user.authorized_projects, public_and_internal_projects]
     end
   end
 
diff --git a/app/models/ability.rb b/app/models/ability.rb
index fe9e0aab717..ccac08b7d3f 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -109,23 +109,10 @@ class Ability
       key = "/user/#{user.id}/project/#{project.id}"
 
       RequestStore.store[key] ||= begin
-        team = project.team
+        # Push abilities on the users team role
+        rules.push(*project_team_rules(project.team, user))
 
-        # Rules based on role in project
-        if team.master?(user)
-          rules.push(*project_master_rules)
-
-        elsif team.developer?(user)
-          rules.push(*project_dev_rules)
-
-        elsif team.reporter?(user)
-          rules.push(*project_report_rules)
-
-        elsif team.guest?(user)
-          rules.push(*project_guest_rules)
-        end
-
-        if project.public? || project.internal?
+        if project.public? || (project.internal? && !user.external?)
           rules.push(*public_project_rules)
 
           # Allow to read builds for internal projects
@@ -148,6 +135,19 @@ class Ability
       end
     end
 
+    def project_team_rules(team, user)
+      # Rules based on role in project
+      if team.master?(user)
+        project_master_rules
+      elsif team.developer?(user)
+        project_dev_rules
+      elsif team.reporter?(user)
+        project_report_rules
+      elsif team.guest?(user)
+        project_guest_rules
+      end
+    end
+
     def public_project_rules
       @public_project_rules ||= project_guest_rules + [
         :download_code,
@@ -356,7 +356,7 @@ class Ability
         ]
       end
 
-      if snippet.public? || snippet.internal?
+      if snippet.public? || (snippet.internal? && !user.external?)
         rules << :read_personal_snippet
       end
 
diff --git a/app/models/project.rb b/app/models/project.rb
index 89a55a510cd..ab4913e99a8 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -254,12 +254,6 @@ class Project < ActiveRecord::Base
       where('projects.last_activity_at < ?', 6.months.ago)
     end
 
-    def publicish(user)
-      visibility_levels = [Project::PUBLIC]
-      visibility_levels << Project::INTERNAL if user
-      where(visibility_level: visibility_levels)
-    end
-
     def with_push
       joins(:events).where('events.action = ?', Event::PUSHED)
     end
diff --git a/app/models/user.rb b/app/models/user.rb
index 68b242888aa..c011af03591 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -59,6 +59,7 @@
 #  hide_project_limit          :boolean          default(FALSE)
 #  unlock_token                :string
 #  otp_grace_period_started_at :datetime
+#  external                    :boolean           default(FALSE)
 #
 
 require 'carrierwave/orm/activerecord'
@@ -77,6 +78,7 @@ class User < ActiveRecord::Base
   add_authentication_token_field :authentication_token
 
   default_value_for :admin, false
+  default_value_for :external, false
   default_value_for :can_create_group, gitlab_config.default_can_create_group
   default_value_for :can_create_team, false
   default_value_for :hide_no_ssh_key, false
@@ -171,6 +173,7 @@ class User < ActiveRecord::Base
 
   after_update :update_emails_with_primary_email, if: ->(user) { user.email_changed? }
   before_save :ensure_authentication_token
+  before_save :ensure_external_user_rights
   after_save :ensure_namespace_correct
   after_initialize :set_projects_limit
   after_create :post_create_hook
@@ -218,6 +221,7 @@ class User < ActiveRecord::Base
   # Scopes
   scope :admins, -> { where(admin: true) }
   scope :blocked, -> { with_states(:blocked, :ldap_blocked) }
+  scope :external, -> { where(external: true) }
   scope :active, -> { with_state(:active) }
   scope :not_in_project, ->(project) { project.users.present? ? where("id not in (:ids)", ids: project.users.map(&:id) ) : all }
   scope :without_projects, -> { where('id NOT IN (SELECT DISTINCT(user_id) FROM members)') }
@@ -273,6 +277,8 @@ class User < ActiveRecord::Base
         self.with_two_factor
       when 'wop'
         self.without_projects
+      when 'external'
+        self.external
       else
         self.active
       end
@@ -841,4 +847,11 @@ class User < ActiveRecord::Base
   def send_devise_notification(notification, *args)
     devise_mailer.send(notification, self, *args).deliver_later
   end
+
+  def ensure_external_user_rights
+    return unless self.external?
+
+    self.can_create_group   = false
+    self.projects_limit     = 0
+  end
 end
diff --git a/app/views/admin/users/_form.html.haml b/app/views/admin/users/_form.html.haml
index e18dd9bc905..d2527ede995 100644
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -58,9 +58,15 @@
         = f.label :admin, class: 'control-label'
         - if current_user == @user
           .col-sm-10= f.check_box :admin, disabled: true
-          .col-sm-10 You cannot remove your own admin rights
+          .col-sm-10 You cannot remove your own admin rights.
         - else
           .col-sm-10= f.check_box :admin
+
+      .form-group
+        = f.label :external, class: 'control-label'
+        .col-sm-10= f.check_box :external
+        .col-sm-10 External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
+
     %fieldset
       %legend Profile
       .form-group
diff --git a/app/views/admin/users/index.html.haml b/app/views/admin/users/index.html.haml
index b6b1168bd37..0ee8dc962b9 100644
--- a/app/views/admin/users/index.html.haml
+++ b/app/views/admin/users/index.html.haml
@@ -19,6 +19,10 @@
       = link_to admin_users_path(filter: 'two_factor_disabled') do
         2FA Disabled
         %small.badge= number_with_delimiter(User.without_two_factor.count)
+    %li.filter-external{class: "#{'active' if params[:filter] == 'external'}"}
+      = link_to admin_users_path(filter: 'external') do
+        External
+        %small.badge= number_with_delimiter(User.external.count)
     %li{class: "#{'active' if params[:filter] == "blocked"}"}
       = link_to admin_users_path(filter: "blocked") do
         Blocked
@@ -70,12 +74,14 @@
       %li
         .list-item-name
           - if user.blocked?
-            %i.fa.fa-lock.cred
+            = icon("lock", class: "cred")
           - else
-            %i.fa.fa-user.cgreen
+            = icon("user", class: "cgreen")
           = link_to user.name, [:admin, user]
           - if user.admin?
             %strong.cred (Admin)
+          - if user.external?
+            %strong.cred (External)
           - if user == current_user
             %span.cred It's you!
         .pull-right
diff --git a/app/views/admin/users/show.html.haml b/app/views/admin/users/show.html.haml
index 2bdbae19588..d37489bebea 100644
--- a/app/views/admin/users/show.html.haml
+++ b/app/views/admin/users/show.html.haml
@@ -48,6 +48,10 @@
               Disabled
 
         %li
+          %span.light External User:
+          %strong
+            = @user.external? ? "Yes" : "No"
+        %li
           %span.light Can create groups:
           %strong
             = @user.can_create_group ? "Yes" : "No"
diff --git a/app/views/dashboard/projects/_zero_authorized_projects.html.haml b/app/views/dashboard/projects/_zero_authorized_projects.html.haml
index c3efa7727b1..d54c7cad7be 100644
--- a/app/views/dashboard/projects/_zero_authorized_projects.html.haml
+++ b/app/views/dashboard/projects/_zero_authorized_projects.html.haml
@@ -1,4 +1,4 @@
-- publicish_project_count = Project.publicish(current_user).count
+- publicish_project_count = ProjectsFinder.new.execute(current_user).count
 %h3.page-title Welcome to GitLab!
 %p.light Self hosted Git management application.
 %hr
@@ -18,7 +18,7 @@
     - if current_user.can_create_project?
       .link_holder
         = link_to new_project_path, class: "btn btn-new" do
-          %i.fa.fa-plus
+          = icon('plus')
           New Project
 
 - if current_user.can_create_group?