Commit 0b7c4fe0 authored by Douwe Maan's avatar Douwe Maan

Don't include users without project access in participants.

parent fb86ec51
......@@ -44,7 +44,7 @@ v 7.11.0 (unreleased)
- Fix bug where avatar filenames were not actually deleted from the database during removal (Stan Hu)
- Fix bug where Slack service channel was not saved in admin template settings. (Stan Hu)
- Protect OmniAuth request phase against CSRF.
-
- Don't send notifications to mentioned users that don't have access to the project in question.
-
- Move snippets UI to fluid layout
- Improve UI for sidebar. Increase separation between navigation and content
......
......@@ -35,8 +35,8 @@ def participant_attrs
end
end
def participants(current_user = self.author)
self.class.participant_attrs.flat_map do |attr|
def participants(current_user = self.author, project = self.project)
participants = self.class.participant_attrs.flat_map do |attr|
meth = method(attr)
value =
......@@ -46,20 +46,28 @@ def participants(current_user = self.author)
meth.call
end
participants_for(value, current_user)
participants_for(value, current_user, project)
end.compact.uniq
if project
participants.select! do |user|
user.can?(:read_project, project)
end
end
participants
end
private
def participants_for(value, current_user = nil)
def participants_for(value, current_user = nil, project = nil)
case value
when User
[value]
when Enumerable, ActiveRecord::Relation
value.flat_map { |v| participants_for(v, current_user) }
value.flat_map { |v| participants_for(v, current_user, project) }
when Participable
value.participants(current_user)
value.participants(current_user, project)
end
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment