diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index c8e13879b1d..a2629c51384 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -5,7 +5,7 @@ class GroupsController < ApplicationController # Authorize before_filter :authorize_read_group!, except: [:new, :create] - before_filter :authorize_admin_group!, only: [:edit, :update, :destroy] + before_filter :authorize_admin_group!, only: [:edit, :update, :destroy, :projects] before_filter :authorize_create_group!, only: [:new, :create] # Load group projects @@ -108,12 +108,12 @@ class GroupsController < ApplicationController end def project_ids - projects.pluck(:id) + @projects.pluck(:id) end # Dont allow unauthorized access to group def authorize_read_group! - unless @group and (projects.present? or can?(current_user, :read_group, @group)) + unless @group and (@projects.present? or can?(current_user, :read_group, @group)) if current_user.nil? return authenticate_user! else diff --git a/spec/features/security/group/group_access_spec.rb b/spec/features/security/group/group_access_spec.rb index b65e1d2dbf6..44de499e6d2 100644 --- a/spec/features/security/group/group_access_spec.rb +++ b/spec/features/security/group/group_access_spec.rb @@ -82,5 +82,17 @@ describe "Group access", feature: true do it { should be_denied_for :user } it { should be_denied_for :visitor } end + + describe "GET /groups/:path/projects" do + subject { projects_group_path(group) } + + it { should be_allowed_for owner } + it { should be_denied_for master } + it { should be_denied_for reporter } + it { should be_allowed_for :admin } + it { should be_denied_for guest } + it { should be_denied_for :user } + it { should be_denied_for :visitor } + end end end