Private contributions are hidden on the contributions calendar when a user is removed from a project
Release notes
Problem to solve
I was recently removed from several projects to which I contributed for over a year, so for my activity to be visible to any visitors, I checked the 'Include private contributions on my profile' in profile settings. The contributions are then all anonymously listed in my Activity log, and yet the contribution graph is empty and does not show any of them?
The contributions are listed but do not appear in the calendar
Debug
Once you get removed from a project the ContributedProjectsFinder
no longer returns that project to the contribution calendar, because it is no longer visible to you.
--- a/lib/gitlab/contributions_calendar.rb
+++ b/lib/gitlab/contributions_calendar.rb
@@ -12,11 +12,8 @@ def initialize(contributor, current_user = nil)
@contributor = contributor
@contributor_time_instance = local_timezone_instance(contributor.timezone).now
@current_user = current_user
- @projects = if @contributor.include_private_contributions?
- ContributedProjectsFinder.new(@contributor).execute(@contributor)
- else
- ContributedProjectsFinder.new(contributor).execute(current_user)
- end
+ @projects = ContributedProjectsFinder.new(contributor).execute(current_user)
end
--- a/app/finders/contributed_projects_finder.rb
+++ b/app/finders/contributed_projects_finder.rb
@@ -30,8 +30,13 @@ def can_read_profile?(current_user)
def all_projects(current_user)
projects = []
- projects << @user.contributed_projects.visible_to_user(current_user) if current_user
- projects << @user.contributed_projects.public_to_user(current_user)
+ if @user.include_private_contributions?
+ projects << @user.contributed_projects
+ else
+ projects << @user.contributed_projects.visible_to_user(current_user) if current_user
+ projects << @user.contributed_projects.public_to_user(current_user)
+ end
projects
end
However, I'm not really sure if it might be a security concern when the projects finders starts exposing these projects in other places than the contribution calendar.
I think that diff makes sense. When include_private_contributions?
is true
, we don't need to filter for projects that the author has access to.
However, I'm not really sure if it might be a security concern when the projects finders starts exposing these projects in other places than the contribution calendar. And sadly I don't have the time to do a deep dive into that matter.
Looking into this, I think this would expose projects in the "Contributed projects" tab: https://gitlab.com/users/engwan/contributed
So maybe a better way to do this is to pass in a param to ContributedProjectsFinder
if we want to skip the filtering by permissions.
Proposal
Intended users
Feature Usage Metrics
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.