gitlab-org--gitlab-foss/app/finders/projects_finder.rb

class ProjectsFinder
  def execute(current_user, options = {})
    group = options[:group]

    if group
      group_projects(current_user, group)
    else
      all_projects(current_user)
    end
  end

  private

  def group_projects(current_user, group)
    if current_user
      if group.users.include?(current_user)
        # User is group member
        #
        # Return ALL group projects
        group.projects
      else
        projects_members = ProjectMember.in_projects(group.projects).
          with_user(current_user)

        if projects_members.any?
          # User is a project member
          #
          # Return only:
          #   public projects
          #   internal projects
          #   joined projects
          #
          group.projects.where(
            "projects.id IN (?) OR projects.visibility_level IN (?)",
            projects_members.pluck(:source_id),
            Project.public_and_internal_levels
          )
        else
          # User has no access to group or group projects
          #
          # Return only:
          #   public projects
          #   internal projects
          #
          group.projects.public_and_internal_only
        end
      end
    else
      # Not authenticated
      #
      # Return only:
      #   public projects
      group.projects.public_only
    end
  end

  def all_projects(current_user)
    if current_user
      if current_user.authorized_projects.any?
        # User has access to private projects
        #
        # Return only:
        #   public projects
        #   internal projects
        #   joined projects
        #
        Project.where(
          "projects.id IN (?) OR projects.visibility_level IN (?)",
          current_user.authorized_projects.pluck(:id),
          Project.public_and_internal_levels
        )
      else
        # User has no access to private projects
        #
        # Return only:
        #   public projects
        #   internal projects
        #
        Project.public_and_internal_only
      end
    else
      # Not authenticated
      #
      # Return only:
      #   public projects
      Project.public_only
    end
  end
end