Restrict user profiles based on restricted visibility levels

b05f0a48 · Felipe Artur · 5ae4fd21 · b05f0a48 · b05f0a48
Commit b05f0a48 authored 9 years ago by Felipe Artur
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
 class UsersController < ApplicationController
  skip_before_action :authenticate_user!
  before_action :set_user
+  before_filter :authorize_read_user, only: [:show]
  
  def show
    respond_to do |format|
@@ -74,6 +75,9 @@ class UsersController < ApplicationController
  end
  
  private
+  def authorize_read_user
+    render_404 unless @user.public?
+  end
  
  def set_user
    @user = User.find_by_username!(params[:username])

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -835,6 +835,10 @@ class User < ActiveRecord::Base
    notification_settings.find_or_initialize_by(source: source)
  end
  
+  def public?
+    current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+  end
+
  private
  
  def projects_union