Commit e8a77c0a authored by Felipe Artur's avatar Felipe Artur

Fix code

parent 668d6ffa
class Groups::GroupMembersController < Groups::ApplicationController class Groups::GroupMembersController < Groups::ApplicationController
# Authorize # Authorize
before_action :authorize_admin_group_member!, except: [:index, :leave] before_action :authorize_admin_group_member!, except: [:index, :leave]
before_action :authorize_read_group_members, only: [:index] before_action :authorize_read_group_members!, only: [:index]
def index def index
@project = @group.projects.find(params[:project_id]) if params[:project_id] @project = @group.projects.find(params[:project_id]) if params[:project_id]
...@@ -83,7 +83,7 @@ class Groups::GroupMembersController < Groups::ApplicationController ...@@ -83,7 +83,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
private private
def authorize_read_group_members def authorize_read_group_members!
render_404 unless can?(current_user, :read_group_members, @group) render_404 unless can?(current_user, :read_group_members, @group)
end end
end end
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
#TODO felipe_artur: Remove this "set_user" before action. It is not good to use before filters for loading database records.
before_action :set_user, except: [:show] before_action :set_user, except: [:show]
before_action :authorize_read_user, only: [:show] before_action :authorize_read_user!, only: [:show]
def show def show
respond_to do |format| respond_to do |format|
...@@ -76,7 +75,8 @@ class UsersController < ApplicationController ...@@ -76,7 +75,8 @@ class UsersController < ApplicationController
end end
private private
def authorize_read_user
def authorize_read_user!
set_user set_user
render_404 unless can?(current_user, :read_user, @user) render_404 unless can?(current_user, :read_user, @user)
end end
......
class Ability class Ability
@public_restricted = nil
class << self class << self
def allowed(user, subject) def allowed(user, subject)
...@@ -72,7 +71,6 @@ class Ability ...@@ -72,7 +71,6 @@ class Ability
# Allow to read issues by anonymous user if issue is not confidential # Allow to read issues by anonymous user if issue is not confidential
rules << :read_issue unless subject.is_a?(Issue) && subject.confidential? rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?
# Allow anonymous users to read project members if public is not a restricted level
rules << :read_project_member unless restricted_public_level? rules << :read_project_member unless restricted_public_level?
rules - project_disabled_features_rules(project) rules - project_disabled_features_rules(project)
...@@ -100,7 +98,6 @@ class Ability ...@@ -100,7 +98,6 @@ class Ability
if group if group
rules << [:read_group] if group.public? rules << [:read_group] if group.public?
# Allow anonymous users to read project members if public is not a restricted level
rules << [:read_group_members] unless restricted_public_level? rules << [:read_group_members] unless restricted_public_level?
end end
...@@ -493,7 +490,6 @@ class Ability ...@@ -493,7 +490,6 @@ class Ability
def restricted_public_level? def restricted_public_level?
@public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) @public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
@public_restricted
end end
def named_abilities(name) def named_abilities(name)
......
...@@ -4,8 +4,7 @@ describe Groups::GroupMembersController do ...@@ -4,8 +4,7 @@ describe Groups::GroupMembersController do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:group) { create(:group) } let(:group) { create(:group) }
context "when public visibility level is restricted" do
context "When public visibility level is restricted" do
before do before do
group.add_owner(user) group.add_owner(user)
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
......
...@@ -54,9 +54,10 @@ describe UsersController do ...@@ -54,9 +54,10 @@ describe UsersController do
context 'when logged in' do context 'when logged in' do
before { sign_in(user) } before { sign_in(user) }
it 'renders 404' do it 'renders show' do
get :show, username: user.username get :show, username: user.username
expect(response.status).to eq(200) expect(response.status).to eq(200)
expect(response).to render_template('show')
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment