Merge branch 'issue_5838' into 'master'

Show project members only for members

fixes #5838 

See merge request !3752

CHANGELOG

@@ -51,6 +51,7 @@ v 8.7.0 (unreleased)
   - Add endpoints to archive or unarchive a project !3372
   - Fix a bug whith trailing slash in bamboo_url
   - Add links to CI setup documentation from project settings and builds pages
+  - Display project members page to all members
   - Handle nil descriptions in Slack issue messages (Stan Hu)
   - Add automated repository integrity checks
   - API: Expose open_issues_count, closed_issues_count, open_merge_requests_count for labels (Robert Schilling)

app/controllers/projects/project_members_controller.rb

 class Projects::ProjectMembersController < Projects::ApplicationController
   # Authorize
-  before_action :authorize_admin_project_member!, except: :leave
+  before_action :authorize_admin_project_member!, except: [:leave, :index]
 
   def index
     @project_members = @project.project_members

app/helpers/projects_helper.rb

@@ -144,6 +144,10 @@ module ProjectsHelper
       nav_tabs << :settings
     end
 
+    if can?(current_user, :read_project_member, project)
+      nav_tabs << :team
+    end
+
     if can?(current_user, :read_issue, project)
       nav_tabs << :issues
     end

app/views/layouts/nav/_project.html.haml

@@ -77,7 +77,7 @@
           Merge Requests
           %span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
 
-  - if project_nav_tab? :settings
+  - if project_nav_tab? :team
     = nav_link(controller: [:project_members, :teams]) do
       = link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do
         = icon('users fw')

spec/controllers/projects/project_members_controller_spec.rb

@@ -46,4 +46,20 @@ describe Projects::ProjectMembersController do
       end
     end
   end
+
+  describe '#index' do
+    let(:project) { create(:project, :private) }
+
+    context 'when user is member' do
+      let(:member) { create(:user) }
+
+      before do
+        project.team << [member, :guest]
+        sign_in(member)
+        get :index, namespace_id: project.namespace.to_param, project_id: project.to_param
+      end
+
+      it { expect(response.status).to eq(200) }
+    end
+  end
 end

spec/features/security/project/internal_access_spec.rb

@@ -101,12 +101,12 @@ describe "Internal Project Access", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
-    it { is_expected.to be_denied_for developer }
-    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_denied_for guest }
-    it { is_expected.to be_denied_for :user }
-    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
   end
 
   describe "GET /:project_path/blob" do

spec/features/security/project/private_access_spec.rb

@@ -101,9 +101,9 @@ describe "Private Project Access", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
-    it { is_expected.to be_denied_for developer }
-    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
     it { is_expected.to be_denied_for :visitor }

spec/features/security/project/public_access_spec.rb

@@ -101,12 +101,12 @@ describe "Public Project Access", feature: true  do
     it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
-    it { is_expected.to be_denied_for developer }
-    it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_denied_for guest }
-    it { is_expected.to be_denied_for :user }
-    it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :visitor }
+    it { is_expected.to be_allowed_for :external }
   end
 
   describe "GET /:project_path/builds" do