Restrict user profiles based on restricted visibility levels

2016-03-24 12:55:04 -03:00 · 2016-03-24 12:55:04 -03:00 · b05f0a4858
parent 5ae4fd2181
commit b05f0a4858
2 changed files with 8 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,6 +1,7 @@
 class UsersController < ApplicationController
  skip_before_action :authenticate_user!
  before_action :set_user
+  before_filter :authorize_read_user, only: [:show]

  def show
    respond_to do |format|
@ -74,6 +75,9 @@ class UsersController < ApplicationController
  end

  private
+  def authorize_read_user
+    render_404 unless @user.public?
+  end

  def set_user
    @user = User.find_by_username!(params[:username])
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -835,6 +835,10 @@ class User < ActiveRecord::Base
    notification_settings.find_or_initialize_by(source: source)
  end

+  def public?
+    current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+  end
+
  private

  def projects_union