• Sean McGivern's avatar
    Restrict starred projects to viewable ones · 97424ea5
    Sean McGivern authored
    `User#starred_projects` doesn't perform any visibility checks. This has
    a couple of problems:
    
    1. It assumes a user can always view all of their starred projects in
       perpetuity (project not changed to private, access revoked, etc.).
    2. It assumes that we'll only ever allow a user to star a project they
       can view. This is currently the case, but bugs happen.
    
    Add `User#viewable_starred_projects` to filter the starred projects by
    those the user either has explicit access to, or are public or
    internal. Then use that in all places where we list the user's starred
    projects.
    97424ea5
projects_controller.rb 1.54 KB