Commit 62f6601c authored by Felipe Artur's avatar Felipe Artur

Show project members only for members

parent 17b60d68
class Projects::ProjectMembersController < Projects::ApplicationController class Projects::ProjectMembersController < Projects::ApplicationController
# Authorize # Authorize
before_action :authorize_admin_project_member!, except: :leave before_action :authorize_admin_project_member!, except: [:leave, :index]
before_action :authorize_read_members_list!, only: [:index]
def index def index
@project_members = @project.project_members @project_members = @project.project_members
...@@ -112,4 +113,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController ...@@ -112,4 +113,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def member_params def member_params
params.require(:project_member).permit(:user_id, :access_level) params.require(:project_member).permit(:user_id, :access_level)
end end
def authorize_read_members_list!
render_403 unless can?(current_user, :read_members_list , @project)
end
end end
...@@ -144,6 +144,10 @@ module ProjectsHelper ...@@ -144,6 +144,10 @@ module ProjectsHelper
nav_tabs << :settings nav_tabs << :settings
end end
if can?(current_user, :read_members_list, project)
nav_tabs << :team
end
if can?(current_user, :read_issue, project) if can?(current_user, :read_issue, project)
nav_tabs << :issues nav_tabs << :issues
end end
......
...@@ -154,9 +154,17 @@ class Ability ...@@ -154,9 +154,17 @@ class Ability
end end
end end
def project_member_rules(team, user)
all_members_rules = []
#Rules only for members which does not include public behavior
all_members_rules << :read_members_list if team.members.include?(user)
all_members_rules
end
def project_team_rules(team, user) def project_team_rules(team, user)
# Rules based on role in project # Rules based on role in project
if team.master?(user) filtered_rules = if team.master?(user)
project_master_rules project_master_rules
elsif team.developer?(user) elsif team.developer?(user)
project_dev_rules project_dev_rules
...@@ -165,6 +173,8 @@ class Ability ...@@ -165,6 +173,8 @@ class Ability
elsif team.guest?(user) elsif team.guest?(user)
project_guest_rules project_guest_rules
end end
Array(filtered_rules) + project_member_rules(team, user)
end end
def public_project_rules def public_project_rules
......
...@@ -77,7 +77,7 @@ ...@@ -77,7 +77,7 @@
Merge Requests Merge Requests
%span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count) %span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
- if project_nav_tab? :settings - if project_nav_tab? :team
= nav_link(controller: [:project_members, :teams]) do = nav_link(controller: [:project_members, :teams]) do
= link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do = link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do
= icon('users fw') = icon('users fw')
......
...@@ -46,4 +46,31 @@ describe Projects::ProjectMembersController do ...@@ -46,4 +46,31 @@ describe Projects::ProjectMembersController do
end end
end end
end end
describe 'index' do
let(:project) { create(:project, :internal) }
context 'when user is member' do
let(:member) { create(:user) }
before do
project.team << [member, :guest]
sign_in(member)
get :index, namespace_id: project.namespace.to_param, project_id: project.to_param
end
it { expect(response.status).to eq(200) }
end
context 'when user is not member' do
let(:not_member) { create(:user) }
before do
sign_in(not_member)
get :index, namespace_id: project.namespace.to_param, project_id: project.to_param
end
it { expect(response.status).to eq(403) }
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment