gitlab-org--gitlab-foss/app/finders/user_recent_events_finder.rb
Rubén Dávila c1cc4777ca Hide events from internal projects in public feed for anonymous users
This change fixes a bug where an anonymous user was able to see the
activity related to internal projects when visiting the public profile
of a user of the GitLab instance.
2018-06-12 10:02:06 -05:00

64 lines
1.6 KiB
Ruby

# Get user activity feed for projects common for a user and a logged in user
#
# - current_user: The user viewing the events
# - user: The user for which to load the events
# - params:
# - offset: The page of events to return
class UserRecentEventsFinder
prepend FinderWithCrossProjectAccess
include FinderMethods
requires_cross_project_access
attr_reader :current_user, :target_user, :params
LIMIT = 20
def initialize(current_user, target_user, params = {})
@current_user = current_user
@target_user = target_user
@params = params
end
def execute
recent_events(params[:offset] || 0)
.joins(:project)
.with_associations
.limit_recent(LIMIT, params[:offset])
end
private
def recent_events(offset)
sql = <<~SQL
(#{projects}) AS projects_for_join
JOIN (#{target_events.to_sql}) AS #{Event.table_name}
ON #{Event.table_name}.project_id = projects_for_join.id
SQL
# Workaround for https://github.com/rails/rails/issues/24193
Event.from([Arel.sql(sql)])
end
def target_events
Event.where(author: target_user)
end
def projects
# Compile a list of projects `current_user` interacted with
# and `target_user` is allowed to see.
authorized = target_user
.project_interactions
.joins(:project_authorizations)
.where(project_authorizations: { user: current_user })
.select(:id)
visible = target_user
.project_interactions
.where(visibility_level: Gitlab::VisibilityLevel.levels_for_user(current_user))
.select(:id)
Gitlab::SQL::Union.new([authorized, visible]).to_sql
end
end