diff --git a/CHANGELOG b/CHANGELOG
index f92f486064ff80cfd8b137482abc7bc0d6cb3346..3dfa92f3282241626558095ea7a188893b7321e2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -44,7 +44,7 @@ v 7.11.0 (unreleased)
- Fix bug where avatar filenames were not actually deleted from the database during removal (Stan Hu)
- Fix bug where Slack service channel was not saved in admin template settings. (Stan Hu)
- Protect OmniAuth request phase against CSRF.
- -
+ - Don't send notifications to mentioned users that don't have access to the project in question.
-
- Move snippets UI to fluid layout
- Improve UI for sidebar. Increase separation between navigation and content
diff --git a/app/models/concerns/participable.rb b/app/models/concerns/participable.rb
index a4832204f7b5b7c763eb8fd9ec1257f7900b9ec2..9f667f47e0da8f6ee549e2bcbc92d3144b8c4b34 100644
--- a/app/models/concerns/participable.rb
+++ b/app/models/concerns/participable.rb
@@ -35,8 +35,8 @@ module Participable
end
end
- def participants(current_user = self.author)
- self.class.participant_attrs.flat_map do |attr|
+ def participants(current_user = self.author, project = self.project)
+ participants = self.class.participant_attrs.flat_map do |attr|
meth = method(attr)
value =
@@ -46,20 +46,28 @@ module Participable
meth.call
end
- participants_for(value, current_user)
+ participants_for(value, current_user, project)
end.compact.uniq
+
+ if project
+ participants.select! do |user|
+ user.can?(:read_project, project)
+ end
+ end
+
+ participants
end
private
- def participants_for(value, current_user = nil)
+ def participants_for(value, current_user = nil, project = nil)
case value
when User
[value]
when Enumerable, ActiveRecord::Relation
- value.flat_map { |v| participants_for(v, current_user) }
+ value.flat_map { |v| participants_for(v, current_user, project) }
when Participable
- value.participants(current_user)
+ value.participants(current_user, project)
end
end
end