mjdetullio · December 14, 2015 20:39
diff --git a/gistfile1.diff b/gistfile1.diff
 diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
 index 400e44e..7c74dcb 100644
 --- a/app/controllers/admin/users_controller.rb
 +++ b/app/controllers/admin/users_controller.rb
 @@ -10,7 +10,7 @@ class Admin::UsersController < Admin::ApplicationController
 
   def show
     @projects = Project.scoped
 -    @projects = @projects.without_user(admin_user) if admin_user.authorized_projects.present?
 +    @projects = @projects.without_user(admin_user) if admin_user.joined_projects.present?
   end
 
   def team_update
 diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
 index 97fa1db..4281d30 100644
 --- a/app/controllers/dashboard_controller.rb
 +++ b/app/controllers/dashboard_controller.rb
 @@ -30,6 +30,8 @@ class DashboardController < ApplicationController
                   @projects.personal(current_user)
                 when 'joined' then
                   @projects.joined(current_user)
 +                when 'public' then
 +                  @projects.public
                 else
                   @projects
                 end
 diff --git a/app/controllers/public/projects_controller.rb b/app/controllers/public/projects_controller.rb
 index 4108fe5..620827f 100644
 --- a/app/controllers/public/projects_controller.rb
 +++ b/app/controllers/public/projects_controller.rb
 @@ -1,6 +1,5 @@
 class Public::ProjectsController < ApplicationController
 -  skip_before_filter :authenticate_user!,
 -    :reject_blocked, :set_current_user_for_observers,
 +  skip_before_filter :set_current_user_for_observers,
     :add_abilities
 
   layout 'public'
 diff --git a/app/models/ability.rb b/app/models/ability.rb
 index 6d087a9..097c264 100644
 --- a/app/models/ability.rb
 +++ b/app/models/ability.rb
 @@ -34,10 +34,10 @@ class Ability
       elsif team.developers.include?(user)
         rules << project_dev_rules
 
 -      elsif team.reporters.include?(user)
 +      elsif team.reporters.include?(user) || project.public?
         rules << project_report_rules
 
 -      elsif team.guests.include?(user)
 +      elsif team.guests.include?(user) || project.public?
         rules << project_guest_rules
       end
 
 @@ -106,6 +106,10 @@ class Ability
       ]
     end
 
 +    def project_public_rules
 +      project_report_rules
 +    end
 +
     def group_abilities user, group
       rules = []
 
 diff --git a/app/models/project.rb b/app/models/project.rb
 index 6a3d7ab..7e20aa9 100644
 --- a/app/models/project.rb
 +++ b/app/models/project.rb
 @@ -78,14 +78,14 @@ class Project < ActiveRecord::Base
   validate :check_limit, :repo_name
 
   # Scopes
 -  scope :without_user, ->(user)  { where("id NOT IN (:ids)", ids: user.authorized_projects.map(&:id) ) }
 +  scope :without_user, ->(user)  { where("id NOT IN (:ids)", ids: user.joined_projects.map(&:id) ) }
   scope :not_in_group, ->(group) { where("id NOT IN (:ids)", ids: group.project_ids ) }
   scope :without_team, ->(team) { team.projects.present? ? where("id NOT IN (:ids)", ids: team.projects.map(&:id)) : scoped  }
   scope :in_team, ->(team) { where("id IN (:ids)", ids: team.projects.map(&:id)) }
   scope :in_namespace, ->(namespace) { where(namespace_id: namespace.id) }
   scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
   scope :personal, ->(user) { where(namespace_id: user.namespace_id) }
 -  scope :joined, ->(user) { where("namespace_id != ?", user.namespace_id) }
 +  scope :joined, ->(user) { where("namespace_id != :nid AND id IN (SELECT users_projects.project_id FROM users_projects WHERE users_projects.user_id = :uid)", nid: user.namespace_id, uid: user.id) }
   scope :public, where(public: true)
 
   class << self
 diff --git a/app/models/project_team.rb b/app/models/project_team.rb
 index 2cc7697..9592784 100644
 --- a/app/models/project_team.rb
 +++ b/app/models/project_team.rb
 @@ -67,6 +67,7 @@ class ProjectTeam
   end
 
   def repository_readers
 +    return ['@all'] if @project.public?
     repository_members[UsersProject::REPORTER]
   end
 
 diff --git a/app/models/user.rb b/app/models/user.rb
 index 5b0df09..cb9f972 100644
 --- a/app/models/user.rb
 +++ b/app/models/user.rb
 @@ -193,11 +193,17 @@ class User < ActiveRecord::Base
 
   # Projects user has access to
   def authorized_projects
 -    project_ids = users_projects.pluck(:project_id)
 +    project_ids = Project.public.pluck(:id)
 +    project_ids = project_ids | users_projects.pluck(:project_id)
     project_ids = project_ids | owned_projects.pluck(:id)
     Project.where(id: project_ids)
   end
 
 +  def joined_projects
 +    project_ids = users_projects.pluck(:project_id)
 +    Project.where(id: project_ids)
 +  end
 +
   # Projects in user namespace
   def personal_projects
     Project.personal(self)
 diff --git a/app/views/admin/projects/_form.html.haml b/app/views/admin/projects/_form.html.haml
 index ebf6992..fb48fc8 100644
 --- a/app/views/admin/projects/_form.html.haml
 +++ b/app/views/admin/projects/_form.html.haml
 @@ -47,7 +47,7 @@
     %legend Public mode:
     .clearfix
       = f.label :public do
 -        %span Allow public http clone
 +        %span Allow public read access
       .input= f.check_box :public
 
   %fieldset.features
 diff --git a/app/views/dashboard/projects.html.haml b/app/views/dashboard/projects.html.haml
 index 8e21b0c..8eb3125 100644
 --- a/app/views/dashboard/projects.html.haml
 +++ b/app/views/dashboard/projects.html.haml
 @@ -19,6 +19,8 @@
         = link_to "Personal", projects_dashboard_path(scope: 'personal')
       = nav_tab :scope, 'joined' do
         = link_to "Joined", projects_dashboard_path(scope: 'joined')
 +      = nav_tab :scope, 'public' do
 +        = link_to "Public", projects_dashboard_path(scope: 'public')
 
   .span9
     = form_tag projects_dashboard_path, method: 'get' do
 diff --git a/app/views/layouts/project_resource.html.haml b/app/views/layouts/project_resource.html.haml
 index 09ccb1d..d9b6ca4 100644
 --- a/app/views/layouts/project_resource.html.haml
 +++ b/app/views/layouts/project_resource.html.haml
 @@ -7,7 +7,7 @@
     - if can?(current_user, :download_code, @project)
       = render 'shared/no_ssh'
 
 -    - unless @project.users.include?(current_user)
 +    - unless @project.users.include?(current_user) || @project.public?
       = render 'shared/not_in_team'
     .container
       %ul.main_menu
 diff --git a/app/views/projects/_form.html.haml b/app/views/projects/_form.html.haml
 index 0336654..24b97db 100644
 --- a/app/views/projects/_form.html.haml
 +++ b/app/views/projects/_form.html.haml
 @@ -53,9 +53,9 @@
         .controls
           = f.check_box :public
           %span.descr
 -            If checked, this project can be cloned
 -            %em without any
 -            authentification.
 +            If checked, this project will be visible to all users
 +            %em with
 +            authentication.
             It will also be listed on the #{link_to "public access directory", public_root_path}.
 
 
 diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
 index a2d15d5..2de60f6 100644
 --- a/lib/gitlab/backend/grack_auth.rb
 +++ b/lib/gitlab/backend/grack_auth.rb
 @@ -15,7 +15,7 @@ module Grack
       @env['SCRIPT_NAME'] = ""
 
       return render_not_found unless project
 -      return unauthorized unless project.public || @auth.provided?
 +      return unauthorized unless @auth.provided?
       return bad_request if @auth.provided? && [email protected]?
 
       if valid?
 @@ -50,12 +50,12 @@ module Grack
     end
 
     def validate_get_request
 -      project.public || can?(user, :download_code, project)
 +      can?(user, :download_code, project)
     end
 
     def validate_post_request
       if @request.path_info.end_with?('git-upload-pack')
 -        project.public || can?(user, :download_code, project)
 +        can?(user, :download_code, project)
       elsif @request.path_info.end_with?('git-receive-pack')
         action = if project.protected_branch?(current_ref)
                    :push_code_to_protected_branches
	diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
	index 400e44e..7c74dcb 100644
	--- a/app/controllers/admin/users_controller.rb
	+++ b/app/controllers/admin/users_controller.rb
	@@ -10,7 +10,7 @@ class Admin::UsersController < Admin::ApplicationController

	def show
	@projects = Project.scoped
	- @projects = @projects.without_user(admin_user) if admin_user.authorized_projects.present?
	+ @projects = @projects.without_user(admin_user) if admin_user.joined_projects.present?
	end

	def team_update
	diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
	index 97fa1db..4281d30 100644
	--- a/app/controllers/dashboard_controller.rb
	+++ b/app/controllers/dashboard_controller.rb
	@@ -30,6 +30,8 @@ class DashboardController < ApplicationController
	@projects.personal(current_user)
	when 'joined' then
	@projects.joined(current_user)
	+ when 'public' then
	+ @projects.public
	else
	@projects
	end
	diff --git a/app/controllers/public/projects_controller.rb b/app/controllers/public/projects_controller.rb
	index 4108fe5..620827f 100644
	--- a/app/controllers/public/projects_controller.rb
	+++ b/app/controllers/public/projects_controller.rb
	@@ -1,6 +1,5 @@
	class Public::ProjectsController < ApplicationController
	- skip_before_filter :authenticate_user!,
	- :reject_blocked, :set_current_user_for_observers,
	+ skip_before_filter :set_current_user_for_observers,
	:add_abilities

	layout 'public'
	diff --git a/app/models/ability.rb b/app/models/ability.rb
	index 6d087a9..097c264 100644
	--- a/app/models/ability.rb
	+++ b/app/models/ability.rb
	@@ -34,10 +34,10 @@ class Ability
	elsif team.developers.include?(user)
	rules << project_dev_rules

	- elsif team.reporters.include?(user)
	+ elsif team.reporters.include?(user) \|\| project.public?
	rules << project_report_rules

	- elsif team.guests.include?(user)
	+ elsif team.guests.include?(user) \|\| project.public?
	rules << project_guest_rules
	end

	@@ -106,6 +106,10 @@ class Ability
	]
	end

	+ def project_public_rules
	+ project_report_rules
	+ end
	+
	def group_abilities user, group
	rules = []

	diff --git a/app/models/project.rb b/app/models/project.rb
	index 6a3d7ab..7e20aa9 100644
	--- a/app/models/project.rb
	+++ b/app/models/project.rb
	@@ -78,14 +78,14 @@ class Project < ActiveRecord::Base
	validate :check_limit, :repo_name

	# Scopes
	- scope :without_user, ->(user) { where("id NOT IN (:ids)", ids: user.authorized_projects.map(&:id) ) }
	+ scope :without_user, ->(user) { where("id NOT IN (:ids)", ids: user.joined_projects.map(&:id) ) }
	scope :not_in_group, ->(group) { where("id NOT IN (:ids)", ids: group.project_ids ) }
	scope :without_team, ->(team) { team.projects.present? ? where("id NOT IN (:ids)", ids: team.projects.map(&:id)) : scoped }
	scope :in_team, ->(team) { where("id IN (:ids)", ids: team.projects.map(&:id)) }
	scope :in_namespace, ->(namespace) { where(namespace_id: namespace.id) }
	scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
	scope :personal, ->(user) { where(namespace_id: user.namespace_id) }
	- scope :joined, ->(user) { where("namespace_id != ?", user.namespace_id) }
	+ scope :joined, ->(user) { where("namespace_id != :nid AND id IN (SELECT users_projects.project_id FROM users_projects WHERE users_projects.user_id = :uid)", nid: user.namespace_id, uid: user.id) }
	scope :public, where(public: true)

	class << self
	diff --git a/app/models/project_team.rb b/app/models/project_team.rb
	index 2cc7697..9592784 100644
	--- a/app/models/project_team.rb
	+++ b/app/models/project_team.rb
	@@ -67,6 +67,7 @@ class ProjectTeam
	end

	def repository_readers
	+ return ['@all'] if @project.public?
	repository_members[UsersProject::REPORTER]
	end

	diff --git a/app/models/user.rb b/app/models/user.rb
	index 5b0df09..cb9f972 100644
	--- a/app/models/user.rb
	+++ b/app/models/user.rb
	@@ -193,11 +193,17 @@ class User < ActiveRecord::Base

	# Projects user has access to
	def authorized_projects
	- project_ids = users_projects.pluck(:project_id)
	+ project_ids = Project.public.pluck(:id)
	+ project_ids = project_ids \| users_projects.pluck(:project_id)
	project_ids = project_ids \| owned_projects.pluck(:id)
	Project.where(id: project_ids)
	end

	+ def joined_projects
	+ project_ids = users_projects.pluck(:project_id)
	+ Project.where(id: project_ids)
	+ end
	+
	# Projects in user namespace
	def personal_projects
	Project.personal(self)
	diff --git a/app/views/admin/projects/_form.html.haml b/app/views/admin/projects/_form.html.haml
	index ebf6992..fb48fc8 100644
	--- a/app/views/admin/projects/_form.html.haml
	+++ b/app/views/admin/projects/_form.html.haml
	@@ -47,7 +47,7 @@
	%legend Public mode:
	.clearfix
	= f.label :public do
	- %span Allow public http clone
	+ %span Allow public read access
	.input= f.check_box :public

	%fieldset.features
	diff --git a/app/views/dashboard/projects.html.haml b/app/views/dashboard/projects.html.haml
	index 8e21b0c..8eb3125 100644
	--- a/app/views/dashboard/projects.html.haml
	+++ b/app/views/dashboard/projects.html.haml
	@@ -19,6 +19,8 @@
	= link_to "Personal", projects_dashboard_path(scope: 'personal')
	= nav_tab :scope, 'joined' do
	= link_to "Joined", projects_dashboard_path(scope: 'joined')
	+ = nav_tab :scope, 'public' do
	+ = link_to "Public", projects_dashboard_path(scope: 'public')

	.span9
	= form_tag projects_dashboard_path, method: 'get' do
	diff --git a/app/views/layouts/project_resource.html.haml b/app/views/layouts/project_resource.html.haml
	index 09ccb1d..d9b6ca4 100644
	--- a/app/views/layouts/project_resource.html.haml
	+++ b/app/views/layouts/project_resource.html.haml
	@@ -7,7 +7,7 @@
	- if can?(current_user, :download_code, @project)
	= render 'shared/no_ssh'

	- - unless @project.users.include?(current_user)
	+ - unless @project.users.include?(current_user) \|\| @project.public?
	= render 'shared/not_in_team'
	.container
	%ul.main_menu
	diff --git a/app/views/projects/_form.html.haml b/app/views/projects/_form.html.haml
	index 0336654..24b97db 100644
	--- a/app/views/projects/_form.html.haml
	+++ b/app/views/projects/_form.html.haml
	@@ -53,9 +53,9 @@
	.controls
	= f.check_box :public
	%span.descr
	- If checked, this project can be cloned
	- %em without any
	- authentification.
	+ If checked, this project will be visible to all users
	+ %em with
	+ authentication.
	It will also be listed on the #{link_to "public access directory", public_root_path}.


	diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
	index a2d15d5..2de60f6 100644
	--- a/lib/gitlab/backend/grack_auth.rb
	+++ b/lib/gitlab/backend/grack_auth.rb
	@@ -15,7 +15,7 @@ module Grack
	@env['SCRIPT_NAME'] = ""

	return render_not_found unless project
	- return unauthorized unless project.public \|\| @auth.provided?
	+ return unauthorized unless @auth.provided?
	return bad_request if @auth.provided? && [email protected]?

	if valid?
	@@ -50,12 +50,12 @@ module Grack
	end

	def validate_get_request
	- project.public \|\| can?(user, :download_code, project)
	+ can?(user, :download_code, project)
	end

	def validate_post_request
	if @request.path_info.end_with?('git-upload-pack')
	- project.public \|\| can?(user, :download_code, project)
	+ can?(user, :download_code, project)
	elsif @request.path_info.end_with?('git-receive-pack')
	action = if project.protected_branch?(current_ref)
	:push_code_to_protected_branches