Allow access to groups with public projects.

Fixed Group avatars to only display when user has read permissions to at least one project in the group.

Allow access to groups with public projects.
Fixed Group avatars to only display when user has read permissions to at least one project in the group.
Jason Hollingsworth
1 parent 138e2a50
Showing 29 changed files with 718 additions and 173 deletions Show diff stats
app/controllers/dashboard_controller.rb
app/controllers/groups_controller.rb
app/controllers/public/projects_controller.rb
app/controllers/users_controller.rb
app/helpers/groups_helper.rb
app/helpers/search_helper.rb
app/models/ability.rb
app/models/group.rb
app/models/namespace.rb
app/models/project.rb
app/services/filtering_service.rb
app/services/search/global_service.rb
app/views/groups/issues.html.haml
app/views/groups/members.html.haml
app/views/groups/merge_requests.html.haml
app/views/groups/show.html.haml
app/views/layouts/nav/_group.html.haml
app/views/layouts/public_group.html.haml
app/views/layouts/public_projects.html.haml
app/views/shared/_filter.html.haml
@@ -77,5 +77,6 @@ class DashboardController &lt; ApplicationController
   def default_filter
     params[:scope] = 'assigned-to-me' if params[:scope].blank?
     params[:state] = 'opened' if params[:state].blank?
+    params[:authorized_only] = true
   end
 end
 class GroupsController < ApplicationController
+  skip_before_filter :authenticate_user!, only: [:show, :issues, :members, :merge_requests]
   respond_to :html
   before_filter :group, except: [:new, :create]
  
@@ -36,7 +37,7 @@ class GroupsController &lt; ApplicationController
     @events = Event.in_projects(project_ids)
     @events = event_filter.apply_filter(@events)
     @events = @events.limit(20).offset(params[:offset] || 0)
-    @last_push = current_user.recent_push
+    @last_push = current_user.recent_push if current_user
  
     respond_to do |format|
       format.html
@@ -98,17 +99,21 @@ class GroupsController &lt; ApplicationController
   end
  
   def projects
-    @projects ||= current_user.authorized_projects.where(namespace_id: group.id).sorted_by_activity
+    @projects ||= group.projects_accessible_to(current_user).sorted_by_activity
   end
  
   def project_ids
-    projects.map(&:id)
+    projects.pluck(:id)
   end
  
   # Dont allow unauthorized access to group
   def authorize_read_group!
     unless @group and (projects.present? or can?(current_user, :read_group, @group))
-      return render_404
+      if current_user.nil?
+        return authenticate_user!
+      else
+        return render_404
+      end
     end
   end
  
@@ -131,13 +136,21 @@ class GroupsController &lt; ApplicationController
   def determine_layout
     if [:new, :create].include?(action_name.to_sym)
       'navless'
-    else
+    elsif current_user
       'group'
+    else
+      'public_group'
     end
   end
  
   def default_filter
-    params[:scope] = 'assigned-to-me' if params[:scope].blank?
+    if params[:scope].blank?
+      if current_user
+        params[:scope] = 'assigned-to-me'
+      else
+        params[:scope] = 'all'
+      end
+    end
     params[:state] = 'opened' if params[:state].blank?
     params[:group_id] = @group.id
   end
@@ -6,7 +6,7 @@ class Public::ProjectsController &lt; ApplicationController
   layout 'public'
  
   def index
-    @projects = Project.public_or_internal_only(current_user)
+    @projects = Project.publicish(current_user)
     @projects = @projects.search(params[:search]) if params[:search].present?
     @projects = @projects.sort(@sort = params[:sort])
     @projects = @projects.includes(:namespace).page(params[:page]).per(20)
 class UsersController < ApplicationController
-
   skip_before_filter :authenticate_user!, only: [:show]
   layout :determine_layout
  
   def show
     @user = User.find_by_username!(params[:username])
-    @projects = @user.authorized_projects.includes(:namespace).select {|project| can?(current_user, :read_project, project)}
+    @projects = @user.authorized_projects.accessible_to(current_user)
     if !current_user && @projects.empty?
       return authenticate_user!
     end
-    @events = @user.recent_events.where(project_id: @projects.map(&:id)).limit(20)
+    @groups = @user.groups.accessible_to(current_user)
+    @events = @user.recent_events.where(project_id: @projects.pluck(:id)).limit(20)
     @title = @user.name
   end
  
@@ -6,6 +6,14 @@ module GroupsHelper
   def leave_group_message(group)
     "Are you sure you want to leave \"#{group}\" group?"
   end
+  
+  def should_user_see_group_roles?(user, group)
+    if user
+      user.is_admin? || group.members.exists?(user_id: user.id)
+    else
+      false
+    end
+  end
  
   def group_head_title
     title = @group.name
@@ -4,8 +4,7 @@ module SearchHelper
  
     resources_results = [
       groups_autocomplete(term),
-      projects_autocomplete(term),
-      public_projects_autocomplete(term),
+      projects_autocomplete(term)
     ].flatten
  
     generic_results = project_autocomplete + default_autocomplete + help_autocomplete
@@ -82,17 +81,7 @@ module SearchHelper
  
   # Autocomplete results for the current user's projects
   def projects_autocomplete(term, limit = 5)
-    current_user.authorized_projects.search_by_title(term).non_archived.limit(limit).map do |p|
-      {
-        label: "project: #{search_result_sanitize(p.name_with_namespace)}",
-        url: project_path(p)
-      }
-    end
-  end
-
-  # Autocomplete results for the current user's projects
-  def public_projects_autocomplete(term, limit = 5)
-    Project.public_or_internal_only(current_user).search_by_title(term).non_archived.limit(limit).map do |p|
+    Project.accessible_to(current_user).search_by_title(term).non_archived.limit(limit).map do |p|
       {
         label: "project: #{search_result_sanitize(p.name_with_namespace)}",
         url: project_path(p)
@@ -43,7 +43,19 @@ class Ability
           :download_code
         ]
       else
-        []
+        group = if subject.kind_of?(Group)
+                  subject
+                elsif subject.respond_to?(:group)
+                  subject.group
+                else
+                  nil
+                end
+        
+        if group && group.has_projects_accessible_to?(nil)
+          [:read_group]
+        else
+          []
+        end
       end
     end
  
@@ -172,7 +184,7 @@ class Ability
     def group_abilities user, group
       rules = []
  
-      if group.users.include?(user) || user.admin?
+      if user.admin? || group.users.include?(user) || group.has_projects_accessible_to?(user)
         rules << :read_group
       end
  
@@ -25,6 +25,12 @@ class Group &lt; Namespace
   validates :avatar, file_size: { maximum: 100.kilobytes.to_i }
  
   mount_uploader :avatar, AttachmentUploader
+  
+  def self.accessible_to(user)
+    accessible_ids = Project.accessible_to(user).pluck(:namespace_id)
+    accessible_ids += user.groups.pluck(:id) if user
+    where(id: accessible_ids)
+  end
  
   def human_name
     name
@@ -47,6 +47,14 @@ class Namespace &lt; ActiveRecord::Base
   def self.global_id
     'GLN'
   end
+  
+  def projects_accessible_to(user)
+    projects.accessible_to(user)
+  end
+  
+  def has_projects_accessible_to?(user)
+    projects_accessible_to(user).present?
+  end
  
   def to_param
     path
@@ -114,8 +114,6 @@ class Project &lt; ActiveRecord::Base
   scope :sorted_by_activity, -> { reorder("projects.last_activity_at DESC") }
   scope :personal, ->(user) { where(namespace_id: user.namespace_id) }
   scope :joined, ->(user) { where("namespace_id != ?", user.namespace_id) }
-  scope :public_only, -> { where(visibility_level: PUBLIC) }
-  scope :public_or_internal_only, ->(user) { where("visibility_level IN (:levels)", levels: user ? [ INTERNAL, PUBLIC ] : [ PUBLIC ]) }
  
   scope :non_archived, -> { where(archived: false) }
  
@@ -125,6 +123,18 @@ class Project &lt; ActiveRecord::Base
     def abandoned
       where('projects.last_activity_at < ?', 6.months.ago)
     end
+    
+    def publicish(user)
+      visibility_levels = [Project::PUBLIC]
+      visibility_levels += [Project::INTERNAL] if user
+      where(visibility_level: visibility_levels)
+    end
+    
+    def accessible_to(user)
+      accessible_ids = publicish(user).pluck(:id)
+      accessible_ids += user.authorized_projects.pluck(:id) if user
+      where(id: accessible_ids)
+    end
  
     def with_push
       includes(:events).where('events.action = ?', Event::PUSHED)
@@ -41,16 +41,16 @@ class FilteringService
   def init_collection
     table_name = klass.table_name
  
-    return klass.of_projects(Project.public_only) unless current_user
-
     if project
-      if current_user.can?(:read_project, project)
+      if project.public? || (current_user && current_user.can?(:read_project, project))
         project.send(table_name)
       else
         []
       end
-    else
+    elsif current_user && params[:authorized_only].presence
       klass.of_projects(current_user.authorized_projects)
+    else
+      klass.of_projects(Project.accessible_to(current_user))
     end
   end
  
@@ -11,12 +11,8 @@ module Search
       query = Shellwords.shellescape(query) if query.present?
       return result unless query.present?
  
-      authorized_projects_ids = []
-      authorized_projects_ids += current_user.authorized_projects.pluck(:id) if current_user
-      authorized_projects_ids += Project.public_or_internal_only(current_user).pluck(:id)
-
       group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
-      projects = Project.where(id: authorized_projects_ids)
+      projects = Project.accessible_to(current_user)
       projects = projects.where(namespace_id: group.id) if group
       projects = projects.search(query)
       project_ids = projects.pluck(:id)
@@ -5,7 +5,9 @@
 %p.light
   Only issues from
   %strong #{@group.name}
-  group are listed here. To see all issues you should visit #{link_to 'dashboard', issues_dashboard_path} page.
+  group are listed here.
+  - if current_user
+    To see all issues you should visit #{link_to 'dashboard', issues_dashboard_path} page.
 %hr
  
 .row
+- show_roles = should_user_see_group_roles?(current_user, @group)
 %h3.page-title
   Group members
-%p.light
-  Members of group have access to all group projects.
-  Read more about permissions
-  %strong= link_to "here", help_permissions_path, class: "vlink"
+- if show_roles
+  %p.light
+    Members of group have access to all group projects.
+    Read more about permissions
+    %strong= link_to "here", help_permissions_path, class: "vlink"
  
 %hr
  
@@ -13,7 +15,7 @@
       = search_field_tag :search, params[:search], { placeholder: 'Find member by name', class: 'form-control search-text-input input-mn-300' }
     = submit_tag 'Search', class: 'btn'
  
-  - if current_user.can? :manage_group, @group
+  - if current_user && current_user.can?(:manage_group, @group)
     .pull-right
       = link_to '#', class: 'btn btn-new js-toggle-visibility-link' do
         Add members
@@ -30,7 +32,7 @@
       (#{@members.total_count})
   %ul.well-list
     - @members.each do |member|
-      = render 'users_groups/users_group', member: member, show_controls: true
+      = render 'users_groups/users_group', member: member, show_roles: show_roles, show_controls: true
 = paginate @members, theme: 'gitlab'
  
 :coffeescript
@@ -5,7 +5,9 @@
 %p.light
   Only merge requests from
   %strong #{@group.name}
-  group are listed here. To see all merge requests you should visit #{link_to 'dashboard', merge_requests_dashboard_path} page.
+  group are listed here.
+  - if current_user
+    To see all merge requests you should visit #{link_to 'dashboard', merge_requests_dashboard_path} page.
 %hr
 .row
   .col-md-3
 .dashboard
   .activities.col-md-8.hidden-sm
-    = render "events/event_last_push", event: @last_push
-    = link_to dashboard_path, class: 'btn btn-tiny' do
-      &larr; To dashboard
-    &nbsp;
+    - if current_user
+      = render "events/event_last_push", event: @last_push
+      = link_to dashboard_path, class: 'btn btn-tiny' do
+        &larr; To dashboard
+      &nbsp;
     %span.cgray You will only see events from projects in this group
     %hr
     = render 'shared/event_filter'
@@ -21,11 +22,12 @@
         - if @group.description.present?
           %p= @group.description
     = render "projects", projects: @projects
-    .prepend-top-20
-      = link_to group_path(@group, { format: :atom, private_token: current_user.private_token }), title: "Feed" do
-        %strong
-          %i.icon-rss
-          News Feed
+    - if current_user
+      .prepend-top-20
+        = link_to group_path(@group, { format: :atom, private_token: current_user.private_token }), title: "Feed" do
+          %strong
+            %i.icon-rss
+            News Feed
  
     %hr
     = render 'shared/promo'
@@ -5,11 +5,13 @@
   = nav_link(path: 'groups#issues') do
     = link_to issues_group_path(@group) do
       Issues
-      %span.count= current_user.assigned_issues.opened.of_group(@group).count
+      - if current_user
+        %span.count= current_user.assigned_issues.opened.of_group(@group).count
   = nav_link(path: 'groups#merge_requests') do
     = link_to merge_requests_group_path(@group) do
       Merge Requests
-      %span.count= current_user.cared_merge_requests.opened.of_group(@group).count
+      - if current_user
+        %span.count= current_user.cared_merge_requests.opened.of_group(@group).count
   = nav_link(path: 'groups#members') do
     = link_to "Members", members_group_path(@group)
  
@@ -0,0 +1,10 @@
+!!! 5
+%html{ lang: "en"}
+  = render "layouts/head", title: group_head_title
+  %body{class: "#{app_theme} application", :'data-page' => body_data_page}
+    = render "layouts/broadcast"
+    = render "layouts/public_head_panel", title: "group: #{@group.name}"
+    %nav.main-nav.navbar-collapse.collapse
+      .container= render 'layouts/nav/group'
+    .container
+      .content= yield
@@ -3,7 +3,7 @@
   = render "layouts/head", title: @project.name_with_namespace
   %body{class: "#{app_theme} application", :'data-page' => body_data_page}
     = render "layouts/broadcast"
-    = render "layouts/public_head_panel", title: @project.name_with_namespace
+    = render "layouts/public_head_panel", title: project_title(@project)
     %nav.main-nav
       .container= render 'layouts/nav/project'
     .container
 .side-filters.hidden-xs.hidden-sm
   = form_tag filter_path(entity), method: 'get' do
-    %fieldset.scope-filter
-      %ul.nav.nav-pills.nav-stacked
-        %li{class: ("active" if params[:scope] == 'assigned-to-me')}
-          = link_to filter_path(entity, scope: 'assigned-to-me') do
-            Assigned to me
-        %li{class: ("active" if params[:scope] == 'authored')}
-          = link_to filter_path(entity, scope: 'authored') do
-            Created by me
-        %li{class: ("active" if params[:scope] == 'all')}
-          = link_to filter_path(entity, scope: 'all') do
-            Everyone's
+    - if current_user
+      %fieldset.scope-filter
+        %ul.nav.nav-pills.nav-stacked
+          %li{class: ("active" if params[:scope] == 'assigned-to-me')}
+            = link_to filter_path(entity, scope: 'assigned-to-me') do
+              Assigned to me
+          %li{class: ("active" if params[:scope] == 'authored')}
+            = link_to filter_path(entity, scope: 'authored') do
+              Created by me
+          %li{class: ("active" if params[:scope] == 'all')}
+            = link_to filter_path(entity, scope: 'all') do
+              Everyone's
  
     %fieldset.status-filter
       %legend State
@@ -14,10 +14,10 @@
       %small member since #{@user.created_at.stamp("Nov 12, 2031")}
     .clearfix
     %h4 Groups:
-    = render 'groups', groups: @user.groups 
+    = render 'groups', groups: @groups
     %hr
     %h4 User Activity:
     = render @events
   .col-md-4
     = render 'profile', user: @user
-    = render 'projects', user: @user
+    = render 'projects'
 - user = member.user
 - return unless user
+- show_roles = true if show_roles.nil?
 %li{class: "#{dom_class(member)} js-toggle-container", id: dom_id(member)}
   = image_tag avatar_icon(user.email, 16), class: "avatar s16"
   %strong= user.name
@@ -7,22 +8,23 @@
   - if user == current_user
     %span.label.label-success It's you
  
-  %span.pull-right
-    %strong= member.human_access
-    - if show_controls
-      - if can?(current_user, :modify, member)
-        = link_to '#', class: "btn-tiny btn js-toggle-button", title: 'Edit access level' do
-          %i.icon-edit
-      - if can?(current_user, :destroy, member)
-        - if current_user == member.user
-          = link_to leave_profile_group_path(@group), data: { confirm: leave_group_message(@group.name)}, method: :delete, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
-            %i.icon-minus.icon-white
-        - else
-          = link_to group_users_group_path(@group, member), data: { confirm: remove_user_from_group_message(@group, user) }, method: :delete, remote: true, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
-            %i.icon-minus.icon-white
-
-  .edit-member.hide.js-toggle-content
-    = form_for [@group, member], remote: true do |f|
-      .alert.prepend-top-20
-        = f.select :group_access, options_for_select(UsersGroup.group_access_roles, member.group_access)
-        = f.submit 'Save', class: 'btn btn-save btn-small'
+  - if show_roles
+    %span.pull-right
+      %strong= member.human_access
+      - if show_controls
+        - if can?(current_user, :modify, member)
+          = link_to '#', class: "btn-tiny btn js-toggle-button", title: 'Edit access level' do
+            %i.icon-edit
+        - if can?(current_user, :destroy, member)
+          - if current_user == member.user
+            = link_to leave_profile_group_path(@group), data: { confirm: leave_group_message(@group.name)}, method: :delete, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
+              %i.icon-minus.icon-white
+          - else
+            = link_to group_users_group_path(@group, member), data: { confirm: remove_user_from_group_message(@group, user) }, method: :delete, remote: true, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
+              %i.icon-minus.icon-white
+  
+    .edit-member.hide.js-toggle-content
+      = form_for [@group, member], remote: true do |f|
+        .alert.prepend-top-20
+          = f.select :group_access, options_for_select(UsersGroup.group_access_roles, member.group_access)
+          = f.submit 'Save', class: 'btn btn-save btn-small'
@@ -0,0 +1,118 @@
+Feature: Public Projects Feature
+  Background:
+    Given group "TestGroup" has private project "Enterprise"
+
+  Scenario: I should not see group with private projects as visitor
+    When I visit group "TestGroup" page
+    Then I should be redirected to sign in page
+
+  Scenario: I should not see group with private projects group as user
+    When I sign in as a user
+    And I visit group "TestGroup" page
+    Then page status code should be 404
+
+  Scenario: I should not see group with private and internal projects as visitor
+    Given group "TestGroup" has internal project "Internal"
+    When I visit group "TestGroup" page
+    Then I should be redirected to sign in page
+
+  Scenario: I should see group with private and internal projects as user
+    Given group "TestGroup" has internal project "Internal"
+    When I sign in as a user
+    And I visit group "TestGroup" page
+    Then I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group issues for internal project as user
+    Given group "TestGroup" has internal project "Internal"
+    When I sign in as a user
+    And I visit group "TestGroup" issues page
+    And I change filter to Everyone's
+    Then I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group merge requests for internal project as user
+    Given group "TestGroup" has internal project "Internal"
+    When I sign in as a user
+    And I visit group "TestGroup" merge requests page
+    And I change filter to Everyone's
+    Then I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group's members as user
+    Given group "TestGroup" has internal project "Internal"
+    And "John Doe" is owner of group "TestGroup"
+    When I sign in as a user
+    And I visit group "TestGroup" members page
+    Then I should see group member "John Doe"
+    And I should not see member roles
+
+  Scenario: I should see group with private, internal and public projects as visitor
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I visit group "TestGroup" page
+    Then I should see project "Community" items
+    And I should not see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group issues for public project as visitor
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I visit group "TestGroup" issues page
+    Then I should see project "Community" items
+    And I should not see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group merge requests for public project as visitor
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I visit group "TestGroup" merge requests page
+    Then I should see project "Community" items
+    And I should not see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group's members as visitor
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    And "John Doe" is owner of group "TestGroup"
+    When I visit group "TestGroup" members page
+    Then I should see group member "John Doe"
+    And I should not see member roles
+
+  Scenario: I should see group with private, internal and public projects as user
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I sign in as a user
+    And I visit group "TestGroup" page
+    Then I should see project "Community" items
+    And I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group issues for internal and public projects as user
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I sign in as a user
+    And I visit group "TestGroup" issues page
+    And I change filter to Everyone's
+    Then I should see project "Community" items
+    And I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group merge requests for internal and public projects as user
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    When I sign in as a user
+    And I visit group "TestGroup" merge requests page
+    And I change filter to Everyone's
+    Then I should see project "Community" items
+    And I should see project "Internal" items
+    And I should not see project "Enterprise" items
+
+  Scenario: I should see group's members as user
+    Given group "TestGroup" has internal project "Internal"
+    Given group "TestGroup" has public project "Community"
+    And "John Doe" is owner of group "TestGroup"
+    When I sign in as a user
+    And I visit group "TestGroup" members page
+    Then I should see group member "John Doe"
+    And I should not see member roles
@@ -0,0 +1,93 @@
+class Spinach::Features::PublicProjectsFeature < Spinach::FeatureSteps
+  include SharedAuthentication
+  include SharedPaths
+  include SharedGroup
+  include SharedProject
+
+  step 'group "TestGroup" has private project "Enterprise"' do
+    group_has_project("TestGroup", "Enterprise", Gitlab::VisibilityLevel::PRIVATE)
+  end
+
+  step 'group "TestGroup" has internal project "Internal"' do
+    group_has_project("TestGroup", "Internal", Gitlab::VisibilityLevel::INTERNAL)
+  end
+
+  step 'group "TestGroup" has public project "Community"' do
+    group_has_project("TestGroup", "Community", Gitlab::VisibilityLevel::PUBLIC)
+  end
+  
+  step '"John Doe" is owner of group "TestGroup"' do
+    group = Group.find_by(name: "TestGroup") || create(:group, name: "TestGroup")
+    user = create(:user, name: "John Doe")
+    group.add_user(user, Gitlab::Access::OWNER)
+  end
+
+  step 'I visit group "TestGroup" page' do
+    visit group_path(Group.find_by(name: "TestGroup"))
+  end
+
+  step 'I visit group "TestGroup" issues page' do
+    visit issues_group_path(Group.find_by(name: "TestGroup"))
+  end
+
+  step 'I visit group "TestGroup" merge requests page' do
+    visit merge_requests_group_path(Group.find_by(name: "TestGroup"))
+  end
+
+  step 'I visit group "TestGroup" members page' do
+    visit members_group_path(Group.find_by(name: "TestGroup"))
+  end
+  
+  step 'I should not see project "Enterprise" items' do
+    page.should_not have_content "Enterprise"
+  end
+  
+  step 'I should see project "Internal" items' do
+    page.should have_content "Internal"
+  end
+  
+  step 'I should not see project "Internal" items' do
+    page.should_not have_content "Internal"
+  end
+  
+  step 'I should see project "Community" items' do
+    page.should have_content "Community"
+  end
+  
+  step 'I change filter to Everyone\'s' do
+    click_link "Everyone's"
+  end
+  
+  step 'I should see group member "John Doe"' do
+    page.should have_content "John Doe"
+  end
+  
+  step 'I should not see member roles' do
+    page.body.should_not match(%r{owner|developer|reporter|guest}i)
+  end
+
+  protected
+
+  def group_has_project(groupname, projectname, visibility_level)
+    group = Group.find_by(name: groupname) || create(:group, name: groupname)
+    project = create(:project,
+      namespace: group,
+      name: projectname,
+      path: "#{groupname}-#{projectname}",
+      visibility_level: visibility_level
+    )
+    create(:issue,
+      title: "#{projectname} feature",
+      project: project
+    )
+    create(:merge_request,
+      title: "#{projectname} feature implemented",
+      source_project: project,
+      target_project: project
+    )
+    create(:closed_issue_event,
+      project: project
+    )
+  end
+end
+
@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+describe "Group access" do
+  describe "GET /projects/new" do
+    it { new_group_path.should be_allowed_for :admin }
+    it { new_group_path.should be_allowed_for :user }
+    it { new_group_path.should be_denied_for :visitor }
+  end
+
+  describe "Group" do
+    let(:group) { create(:group) }
+
+    let(:owner)   { create(:owner) }
+    let(:master)   { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest)    { create(:user) }
+    let(:nonmember)  { create(:user) }
+
+    before do
+      group.add_user(owner, Gitlab::Access::OWNER)
+      group.add_user(master, Gitlab::Access::MASTER)
+      group.add_user(reporter, Gitlab::Access::REPORTER)
+      group.add_user(guest, Gitlab::Access::GUEST)
+    end
+    
+    describe "Group should not have accessible projects" do
+      it { group.has_projects_accessible_to?(nil).should be_false }
+      it { group.has_projects_accessible_to?(nonmember).should be_false }
+    end
+
+    describe "GET /groups/:path" do
+      subject { group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/issues" do
+      subject { issues_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/merge_requests" do
+      subject { merge_requests_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/members" do
+      subject { members_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/edit" do
+      subject { edit_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_denied_for master }
+      it { should be_denied_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_denied_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+  end
+end
@@ -0,0 +1,87 @@
+require 'spec_helper'
+
+describe "Group with internal project access" do
+  describe "Group" do
+    let(:group) { create(:group) }
+
+    let(:owner)   { create(:owner) }
+    let(:master)   { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest)    { create(:user) }
+    let(:nonmember)  { create(:user) }
+
+    before do
+      group.add_user(owner, Gitlab::Access::OWNER)
+      group.add_user(master, Gitlab::Access::MASTER)
+      group.add_user(reporter, Gitlab::Access::REPORTER)
+      group.add_user(guest, Gitlab::Access::GUEST)
+      
+      create(:project, group: group, visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+    end
+    
+    describe "Group should have accessible projects for users" do
+      it { group.has_projects_accessible_to?(nil).should be_false }
+      it { group.has_projects_accessible_to?(nonmember).should be_true }
+    end
+
+    describe "GET /groups/:path" do
+      subject { group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/issues" do
+      subject { issues_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/merge_requests" do
+      subject { merge_requests_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/members" do
+      subject { members_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_denied_for :visitor }
+    end
+
+    describe "GET /groups/:path/edit" do
+      subject { edit_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_denied_for master }
+      it { should be_denied_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_denied_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+  end
+end
@@ -0,0 +1,88 @@
+require 'spec_helper'
+
+describe "Group access" do
+  describe "Group" do
+    let(:group) { create(:group) }
+
+    let(:owner)   { create(:owner) }
+    let(:master)   { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest)    { create(:user) }
+    let(:nonmember)  { create(:user) }
+
+    before do
+      group.add_user(owner, Gitlab::Access::OWNER)
+      group.add_user(master, Gitlab::Access::MASTER)
+      group.add_user(reporter, Gitlab::Access::REPORTER)
+      group.add_user(guest, Gitlab::Access::GUEST)
+
+      create(:project, path: "internal_project", group: group, visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+      create(:project, path: "public_project", group: group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+      
+    describe "Group should have accessible projects" do
+      it { group.has_projects_accessible_to?(nil).should be_true }
+      it { group.has_projects_accessible_to?(nonmember).should be_true }
+    end
+
+    describe "GET /groups/:path" do
+      subject { group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/issues" do
+      subject { issues_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/merge_requests" do
+      subject { merge_requests_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/members" do
+      subject { members_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/edit" do
+      subject { edit_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_denied_for master }
+      it { should be_denied_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_denied_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+  end
+end
@@ -0,0 +1,87 @@
+require 'spec_helper'
+
+describe "Group with public project access" do
+  describe "Group" do
+    let(:group) { create(:group) }
+
+    let(:owner)   { create(:owner) }
+    let(:master)   { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest)    { create(:user) }
+    let(:nonmember)  { create(:user) }
+
+    before do
+      group.add_user(owner, Gitlab::Access::OWNER)
+      group.add_user(master, Gitlab::Access::MASTER)
+      group.add_user(reporter, Gitlab::Access::REPORTER)
+      group.add_user(guest, Gitlab::Access::GUEST)
+      
+      create(:project, group: group, visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+    end
+
+    describe "Group should have accessible projects" do
+      it { group.has_projects_accessible_to?(nil).should be_true }
+      it { group.has_projects_accessible_to?(nonmember).should be_true }
+    end
+
+    describe "GET /groups/:path" do
+      subject { group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/issues" do
+      subject { issues_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/merge_requests" do
+      subject { merge_requests_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/members" do
+      subject { members_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_allowed_for master }
+      it { should be_allowed_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_allowed_for guest }
+      it { should be_allowed_for :user }
+      it { should be_allowed_for :visitor }
+    end
+
+    describe "GET /groups/:path/edit" do
+      subject { edit_group_path(group) }
+
+      it { should be_allowed_for owner }
+      it { should be_denied_for master }
+      it { should be_denied_for reporter }
+      it { should be_allowed_for :admin }
+      it { should be_denied_for guest }
+      it { should be_denied_for :user }
+      it { should be_denied_for :visitor }
+    end
+  end
+end
@@ -1,85 +0,0 @@
-require 'spec_helper'
-
-describe "Group access" do
-  describe "GET /projects/new" do
-    it { new_group_path.should be_allowed_for :admin }
-    it { new_group_path.should be_allowed_for :user }
-    it { new_group_path.should be_denied_for :visitor }
-  end
-
-  describe "Group" do
-    let(:group) { create(:group) }
-
-    let(:owner)   { create(:owner) }
-    let(:master)   { create(:user) }
-    let(:reporter) { create(:user) }
-    let(:guest)    { create(:user) }
-
-    before do
-      group.add_user(owner, Gitlab::Access::OWNER)
-      group.add_user(master, Gitlab::Access::MASTER)
-      group.add_user(reporter, Gitlab::Access::REPORTER)
-      group.add_user(guest, Gitlab::Access::GUEST)
-    end
-
-    describe "GET /groups/:path" do
-      subject { group_path(group) }
-
-      it { should be_allowed_for owner }
-      it { should be_allowed_for master }
-      it { should be_allowed_for reporter }
-      it { should be_allowed_for :admin }
-      it { should be_allowed_for guest }
-      it { should be_denied_for :user }
-      it { should be_denied_for :visitor }
-    end
-
-    describe "GET /groups/:path/issues" do
-      subject { issues_group_path(group) }
-
-      it { should be_allowed_for owner }
-      it { should be_allowed_for master }
-      it { should be_allowed_for reporter }
-      it { should be_allowed_for :admin }
-      it { should be_allowed_for guest }
-      it { should be_denied_for :user }
-      it { should be_denied_for :visitor }
-    end
-
-    describe "GET /groups/:path/merge_requests" do
-      subject { merge_requests_group_path(group) }
-
-      it { should be_allowed_for owner }
-      it { should be_allowed_for master }
-      it { should be_allowed_for reporter }
-      it { should be_allowed_for :admin }
-      it { should be_allowed_for guest }
-      it { should be_denied_for :user }
-      it { should be_denied_for :visitor }
-    end
-
-    describe "GET /groups/:path/members" do
-      subject { members_group_path(group) }
-
-      it { should be_allowed_for owner }
-      it { should be_allowed_for master }
-      it { should be_allowed_for reporter }
-      it { should be_allowed_for :admin }
-      it { should be_allowed_for guest }
-      it { should be_denied_for :user }
-      it { should be_denied_for :visitor }
-    end
-
-    describe "GET /groups/:path/edit" do
-      subject { edit_group_path(group) }
-
-      it { should be_allowed_for owner }
-      it { should be_denied_for master }
-      it { should be_denied_for reporter }
-      it { should be_allowed_for :admin }
-      it { should be_denied_for guest }
-      it { should be_denied_for :user }
-      it { should be_denied_for :visitor }
-    end
-  end
-end
...	...	@@ -77,5 +77,6 @@ class DashboardController < ApplicationController
77	77	def default_filter
78	78	params[:scope] = 'assigned-to-me' if params[:scope].blank?
79	79	params[:state] = 'opened' if params[:state].blank?
	80	+ params[:authorized_only] = true
80	81	end
81	82	end
...	...
1	1	class GroupsController < ApplicationController
	2	+ skip_before_filter :authenticate_user!, only: [:show, :issues, :members, :merge_requests]
2	3	respond_to :html
3	4	before_filter :group, except: [:new, :create]
4	5
...	...	@@ -36,7 +37,7 @@ class GroupsController < ApplicationController
36	37	@events = Event.in_projects(project_ids)
37	38	@events = event_filter.apply_filter(@events)
38	39	@events = @events.limit(20).offset(params[:offset] \|\| 0)
39		- @last_push = current_user.recent_push
	40	+ @last_push = current_user.recent_push if current_user
40	41
41	42	respond_to do \|format\|
42	43	format.html
...	...	@@ -98,17 +99,21 @@ class GroupsController < ApplicationController
98	99	end
99	100
100	101	def projects
101		- @projects \|\|= current_user.authorized_projects.where(namespace_id: group.id).sorted_by_activity
	102	+ @projects \|\|= group.projects_accessible_to(current_user).sorted_by_activity
102	103	end
103	104
104	105	def project_ids
105		- projects.map(&:id)
	106	+ projects.pluck(:id)
106	107	end
107	108
108	109	# Dont allow unauthorized access to group
109	110	def authorize_read_group!
110	111	unless @group and (projects.present? or can?(current_user, :read_group, @group))
111		- return render_404
	112	+ if current_user.nil?
	113	+ return authenticate_user!
	114	+ else
	115	+ return render_404
	116	+ end
112	117	end
113	118	end
114	119
...	...	@@ -131,13 +136,21 @@ class GroupsController < ApplicationController
131	136	def determine_layout
132	137	if [:new, :create].include?(action_name.to_sym)
133	138	'navless'
134		- else
	139	+ elsif current_user
135	140	'group'
	141	+ else
	142	+ 'public_group'
136	143	end
137	144	end
138	145
139	146	def default_filter
140		- params[:scope] = 'assigned-to-me' if params[:scope].blank?
	147	+ if params[:scope].blank?
	148	+ if current_user
	149	+ params[:scope] = 'assigned-to-me'
	150	+ else
	151	+ params[:scope] = 'all'
	152	+ end
	153	+ end
141	154	params[:state] = 'opened' if params[:state].blank?
142	155	params[:group_id] = @group.id
143	156	end
...	...
...	...	@@ -6,7 +6,7 @@ class Public::ProjectsController < ApplicationController
6	6	layout 'public'
7	7
8	8	def index
9		- @projects = Project.public_or_internal_only(current_user)
	9	+ @projects = Project.publicish(current_user)
10	10	@projects = @projects.search(params[:search]) if params[:search].present?
11	11	@projects = @projects.sort(@sort = params[:sort])
12	12	@projects = @projects.includes(:namespace).page(params[:page]).per(20)
...	...
1	1	class UsersController < ApplicationController
2		-
3	2	skip_before_filter :authenticate_user!, only: [:show]
4	3	layout :determine_layout
5	4
6	5	def show
7	6	@user = User.find_by_username!(params[:username])
8		- @projects = @user.authorized_projects.includes(:namespace).select {\|project\| can?(current_user, :read_project, project)}
	7	+ @projects = @user.authorized_projects.accessible_to(current_user)
9	8	if !current_user && @projects.empty?
10	9	return authenticate_user!
11	10	end
12		- @events = @user.recent_events.where(project_id: @projects.map(&:id)).limit(20)
	11	+ @groups = @user.groups.accessible_to(current_user)
	12	+ @events = @user.recent_events.where(project_id: @projects.pluck(:id)).limit(20)
13	13	@title = @user.name
14	14	end
15	15
...	...
...	...	@@ -6,6 +6,14 @@ module GroupsHelper
6	6	def leave_group_message(group)
7	7	"Are you sure you want to leave \"#{group}\" group?"
8	8	end
	9	+
	10	+ def should_user_see_group_roles?(user, group)
	11	+ if user
	12	+ user.is_admin? \|\| group.members.exists?(user_id: user.id)
	13	+ else
	14	+ false
	15	+ end
	16	+ end
9	17
10	18	def group_head_title
11	19	title = @group.name
...	...
...	...	@@ -4,8 +4,7 @@ module SearchHelper
4	4
5	5	resources_results = [
6	6	groups_autocomplete(term),
7		- projects_autocomplete(term),
8		- public_projects_autocomplete(term),
	7	+ projects_autocomplete(term)
9	8	].flatten
10	9
11	10	generic_results = project_autocomplete + default_autocomplete + help_autocomplete
...	...	@@ -82,17 +81,7 @@ module SearchHelper
82	81
83	82	# Autocomplete results for the current user's projects
84	83	def projects_autocomplete(term, limit = 5)
85		- current_user.authorized_projects.search_by_title(term).non_archived.limit(limit).map do \|p\|
86		- {
87		- label: "project: #{search_result_sanitize(p.name_with_namespace)}",
88		- url: project_path(p)
89		- }
90		- end
91		- end
92		-
93		- # Autocomplete results for the current user's projects
94		- def public_projects_autocomplete(term, limit = 5)
95		- Project.public_or_internal_only(current_user).search_by_title(term).non_archived.limit(limit).map do \|p\|
	84	+ Project.accessible_to(current_user).search_by_title(term).non_archived.limit(limit).map do \|p\|
96	85	{
97	86	label: "project: #{search_result_sanitize(p.name_with_namespace)}",
98	87	url: project_path(p)
...	...
...	...	@@ -43,7 +43,19 @@ class Ability
43	43	:download_code
44	44	]
45	45	else
46		- []
	46	+ group = if subject.kind_of?(Group)
	47	+ subject
	48	+ elsif subject.respond_to?(:group)
	49	+ subject.group
	50	+ else
	51	+ nil
	52	+ end
	53	+
	54	+ if group && group.has_projects_accessible_to?(nil)
	55	+ [:read_group]
	56	+ else
	57	+ []
	58	+ end
47	59	end
48	60	end
49	61
...	...	@@ -172,7 +184,7 @@ class Ability
172	184	def group_abilities user, group
173	185	rules = []
174	186
175		- if group.users.include?(user) \|\| user.admin?
	187	+ if user.admin? \|\| group.users.include?(user) \|\| group.has_projects_accessible_to?(user)
176	188	rules << :read_group
177	189	end
178	190
...	...
...	...	@@ -25,6 +25,12 @@ class Group < Namespace
25	25	validates :avatar, file_size: { maximum: 100.kilobytes.to_i }
26	26
27	27	mount_uploader :avatar, AttachmentUploader
	28	+
	29	+ def self.accessible_to(user)
	30	+ accessible_ids = Project.accessible_to(user).pluck(:namespace_id)
	31	+ accessible_ids += user.groups.pluck(:id) if user
	32	+ where(id: accessible_ids)
	33	+ end
28	34
29	35	def human_name
30	36	name
...	...
...	...	@@ -47,6 +47,14 @@ class Namespace < ActiveRecord::Base
47	47	def self.global_id
48	48	'GLN'
49	49	end
	50	+
	51	+ def projects_accessible_to(user)
	52	+ projects.accessible_to(user)
	53	+ end
	54	+
	55	+ def has_projects_accessible_to?(user)
	56	+ projects_accessible_to(user).present?
	57	+ end
50	58
51	59	def to_param
52	60	path
...	...
...	...	@@ -114,8 +114,6 @@ class Project < ActiveRecord::Base
114	114	scope :sorted_by_activity, -> { reorder("projects.last_activity_at DESC") }
115	115	scope :personal, ->(user) { where(namespace_id: user.namespace_id) }
116	116	scope :joined, ->(user) { where("namespace_id != ?", user.namespace_id) }
117		- scope :public_only, -> { where(visibility_level: PUBLIC) }
118		- scope :public_or_internal_only, ->(user) { where("visibility_level IN (:levels)", levels: user ? [ INTERNAL, PUBLIC ] : [ PUBLIC ]) }
119	117
120	118	scope :non_archived, -> { where(archived: false) }
121	119
...	...	@@ -125,6 +123,18 @@ class Project < ActiveRecord::Base
125	123	def abandoned
126	124	where('projects.last_activity_at < ?', 6.months.ago)
127	125	end
	126	+
	127	+ def publicish(user)
	128	+ visibility_levels = [Project::PUBLIC]
	129	+ visibility_levels += [Project::INTERNAL] if user
	130	+ where(visibility_level: visibility_levels)
	131	+ end
	132	+
	133	+ def accessible_to(user)
	134	+ accessible_ids = publicish(user).pluck(:id)
	135	+ accessible_ids += user.authorized_projects.pluck(:id) if user
	136	+ where(id: accessible_ids)
	137	+ end
128	138
129	139	def with_push
130	140	includes(:events).where('events.action = ?', Event::PUSHED)
...	...