Show project members only for members

app/controllers/projects/project_members_controller.rb

 class Projects::ProjectMembersController < Projects::ApplicationController
   # Authorize
-  before_action :authorize_admin_project_member!, except: :leave
+  before_action :authorize_admin_project_member!, except: [:leave, :index]
+  before_action :authorize_read_members_list!, only: [:index]
 
   def index
     @project_members = @project.project_members
@@ -112,4 +113,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   def member_params
     params.require(:project_member).permit(:user_id, :access_level)
   end
+
+  def authorize_read_members_list!
+    render_403 unless can?(current_user, :read_members_list , @project)
+  end
 end

app/helpers/projects_helper.rb

@@ -144,6 +144,10 @@ module ProjectsHelper
       nav_tabs << :settings
     end
 
+    if can?(current_user, :read_members_list, project)
+      nav_tabs << :team
+    end
+
     if can?(current_user, :read_issue, project)
       nav_tabs << :issues
     end

app/models/ability.rb

@@ -154,9 +154,17 @@ class Ability
       end
     end
 
+    def project_member_rules(team, user)
+      all_members_rules = []
+
+      #Rules only for members which does not include public behavior
+      all_members_rules << :read_members_list if team.members.include?(user)
+      all_members_rules
+    end
+
     def project_team_rules(team, user)
       # Rules based on role in project
-      if team.master?(user)
+      filtered_rules = if team.master?(user)
         project_master_rules
       elsif team.developer?(user)
         project_dev_rules
@@ -165,6 +173,8 @@ class Ability
       elsif team.guest?(user)
         project_guest_rules
       end
+
+      Array(filtered_rules) + project_member_rules(team, user)
     end
 
     def public_project_rules

app/views/layouts/nav/_project.html.haml

@@ -77,7 +77,7 @@
           Merge Requests
           %span.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
 
-  - if project_nav_tab? :settings
+  - if project_nav_tab? :team
     = nav_link(controller: [:project_members, :teams]) do
       = link_to namespace_project_project_members_path(@project.namespace, @project), title: 'Members', class: 'team-tab tab' do
         = icon('users fw')

spec/controllers/projects/project_members_controller_spec.rb

@@ -46,4 +46,31 @@ describe Projects::ProjectMembersController do
       end
     end
   end
+
+  describe 'index' do
+    let(:project) { create(:project, :internal) }
+
+    context 'when user is member' do
+      let(:member) { create(:user) }
+
+      before do
+        project.team << [member, :guest]
+        sign_in(member)
+        get :index, namespace_id: project.namespace.to_param, project_id: project.to_param
+      end
+
+       it { expect(response.status).to eq(200) }
+    end
+
+    context 'when user is not member' do
+      let(:not_member) { create(:user) }
+
+      before do
+        sign_in(not_member)
+        get :index, namespace_id: project.namespace.to_param, project_id: project.to_param
+      end
+
+      it { expect(response.status).to eq(403) }
+    end
+  end
 end