Port `read_cross_project` ability from EE

148816cd · Bob Van Landuyt · b5306075 · 148816cd · 148816cd · 148816cd
Commit 148816cd authored 7 years ago by Bob Van Landuyt
--- a/spec/lib/gitlab/cross_project_access/check_info_spec.rb
+++ b/spec/lib/gitlab/cross_project_access/check_info_spec.rb
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess::CheckInfo do
+  let(:dummy_controller) { double }
+
+  before do
+    allow(dummy_controller).to receive(:action_name).and_return('index')
+  end
+
+  describe '#should_run?' do
+    it 'runs when an action is defined' do
+      info = described_class.new({ index: true }, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'runs when the action is missing' do
+      info = described_class.new({}, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not run when the action is excluded' do
+      info = described_class.new({ index: false }, nil, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'runs when the `if` conditional is true' do
+      info = described_class.new({}, -> { true }, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not run when the if condition is false' do
+      info = described_class.new({}, -> { false }, nil, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not run when the `unless` check is true' do
+      info = described_class.new({}, nil, -> { true }, false)
+
+      expect(info.should_run?(dummy_controller)).to be_falsy
+    end
+
+    it 'runs when the `unless` check is false' do
+      info = described_class.new({}, nil, -> { false }, false)
+
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+
+    it 'returns the the oposite of #should_skip? when the check is a skip' do
+      info = described_class.new({}, nil, nil, true)
+
+      expect(info).to receive(:should_skip?).with(dummy_controller).and_return(false)
+      expect(info.should_run?(dummy_controller)).to be_truthy
+    end
+  end
+
+  describe '#should_skip?' do
+    it 'skips when an action is defined' do
+      info = described_class.new({ index: true }, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not skip when the action is not defined' do
+      info = described_class.new({}, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not skip when the action is excluded' do
+      info = described_class.new({ index: false }, nil, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'skips when the `if` conditional is true' do
+      info = described_class.new({ index: true }, -> { true }, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'does not skip the `if` conditional is false' do
+      info = described_class.new({ index: true }, -> { false }, nil, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'does not skip when the `unless` check is true' do
+      info = described_class.new({ index: true }, nil, -> { true }, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_falsy
+    end
+
+    it 'skips when `unless` check is false' do
+      info = described_class.new({ index: true }, nil, -> { false }, true)
+
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+
+    it 'returns the the oposite of #should_run? when the check is not a skip' do
+      info = described_class.new({}, nil, nil, false)
+
+      expect(info).to receive(:should_run?).with(dummy_controller).and_return(false)
+      expect(info.should_skip?(dummy_controller)).to be_truthy
+    end
+  end
+end
--- a/spec/lib/gitlab/cross_project_access/class_methods_spec.rb
+++ b/spec/lib/gitlab/cross_project_access/class_methods_spec.rb
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess::ClassMethods do
+  let(:dummy_class) do
+    Class.new do
+      extend Gitlab::CrossProjectAccess::ClassMethods
+    end
+  end
+  let(:dummy_proc) { lambda { false } }
+
+  describe '#requires_cross_project_access' do
+    it 'creates a correct check when a hash is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: false },
+                                     positive_condition: dummy_proc,
+                                     negative_condition: dummy_proc)
+
+      dummy_class.requires_cross_project_access(
+        hello: true, world: false, if: dummy_proc, unless: dummy_proc
+      )
+    end
+
+    it 'creates a correct check when an array is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: true },
+                                     positive_condition: nil,
+                                     negative_condition: nil)
+
+      dummy_class.requires_cross_project_access(:hello, :world)
+    end
+
+    it 'creates a correct check when an array and a hash is passed' do
+      expect(Gitlab::CrossProjectAccess)
+        .to receive(:add_check).with(dummy_class,
+                                     actions: { hello: true, world: true },
+                                     positive_condition: dummy_proc,
+                                     negative_condition: dummy_proc)
+
+      dummy_class.requires_cross_project_access(
+        :hello, :world, if: dummy_proc, unless: dummy_proc
+      )
+    end
+  end
+end
--- a/spec/lib/gitlab/cross_project_access_spec.rb
+++ b/spec/lib/gitlab/cross_project_access_spec.rb
+require 'spec_helper'
+
+describe Gitlab::CrossProjectAccess do
+  let(:super_class) { Class.new }
+  let(:descendant_class) { Class.new(super_class) }
+  let(:current_instance) { described_class.new }
+
+  before do
+    allow(described_class).to receive(:instance).and_return(current_instance)
+  end
+
+  describe '#add_check' do
+    it 'keeps track of the properties to check' do
+      expect do
+        described_class.add_check(super_class,
+                                  actions: { index: true },
+                                  positive_condition: -> { true },
+                                  negative_condition: -> { false })
+      end.to change { described_class.checks.size }.by(1)
+    end
+
+    it 'builds the check correctly' do
+      check_collection = described_class.add_check(super_class,
+                                                   actions: { index: true },
+                                                   positive_condition: -> { 'positive' },
+                                                   negative_condition: -> { 'negative' })
+
+      check = check_collection.checks.first
+
+      expect(check.actions).to eq(index: true)
+      expect(check.positive_condition.call).to eq('positive')
+      expect(check.negative_condition.call).to eq('negative')
+    end
+
+    it 'merges the checks of a parent class into existing checks of a subclass' do
+      subclass_collection = described_class.add_check(descendant_class)
+
+      expect(subclass_collection).to receive(:add_collection).and_call_original
+
+      described_class.add_check(super_class)
+    end
+
+    it 'merges the existing checks of a superclass into the checks of a subclass' do
+      super_collection = described_class.add_check(super_class)
+      descendant_collection = described_class.add_check(descendant_class)
+
+      expect(descendant_collection.checks).to include(*super_collection.checks)
+    end
+  end
+
+  describe '#find_check' do
+    it 'returns a check when it was defined for a superclass' do
+      expected_check = described_class.add_check(super_class,
+                                                 actions: { index: true },
+                                                 positive_condition: -> { 'positive' },
+                                                 negative_condition: -> { 'negative' })
+
+      expect(described_class.find_check(descendant_class.new))
+        .to eq(expected_check)
+    end
+
+    it 'caches the result for a subclass' do
+      described_class.add_check(super_class,
+                                actions: { index: true },
+                                positive_condition: -> { 'positive' },
+                                negative_condition: -> { 'negative' })
+
+      expect(described_class.instance).to receive(:closest_parent).once.and_call_original
+
+      2.times { described_class.find_check(descendant_class.new) }
+    end
+
+    it 'returns the checks for the closest class if there are more checks available' do
+      described_class.add_check(super_class,
+                                actions: { index: true })
+      expected_check = described_class.add_check(descendant_class,
+                                                 actions: { index: true, show: false })
+
+      check = described_class.find_check(descendant_class.new)
+
+      expect(check).to eq(expected_check)
+    end
+  end
+end
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -204,6 +204,78 @@ describe Ability do
    end
  end
  
+  describe '.merge_requests_readable_by_user' do
+    context 'with an admin' do
+      it 'returns all merge requests' do
+        user = build(:user, admin: true)
+        merge_request = build(:merge_request)
+
+        expect(described_class.merge_requests_readable_by_user([merge_request], user))
+          .to eq([merge_request])
+      end
+    end
+
+    context 'without a user' do
+      it 'returns merge_requests that are publicly visible' do
+        hidden_merge_request = build(:merge_request)
+        visible_merge_request = build(:merge_request, source_project: build(:project, :public))
+
+        merge_requests = described_class
+                           .merge_requests_readable_by_user([hidden_merge_request, visible_merge_request])
+
+        expect(merge_requests).to eq([visible_merge_request])
+      end
+    end
+
+    context 'with a user' do
+      let(:user) { create(:user) }
+      let(:project) { create(:project) }
+      let(:merge_request) { create(:merge_request, source_project: project) }
+      let(:cross_project_merge_request) do
+        create(:merge_request, source_project: create(:project, :public))
+      end
+      let(:other_merge_request) { create(:merge_request) }
+      let(:all_merge_requests) do
+        [merge_request, cross_project_merge_request, other_merge_request]
+      end
+
+      subject(:readable_merge_requests) do
+        described_class.merge_requests_readable_by_user(all_merge_requests, user)
+      end
+
+      before do
+        project.add_developer(user)
+      end
+
+      it 'returns projects visible to the user' do
+        expect(readable_merge_requests).to contain_exactly(merge_request, cross_project_merge_request)
+      end
+
+      context 'when a user cannot read cross project and a filter is passed' do
+        before do
+          allow(described_class).to receive(:allowed?).and_call_original
+          expect(described_class).to receive(:allowed?).with(user, :read_cross_project) { false }
+        end
+
+        subject(:readable_merge_requests) do
+          read_cross_project_filter = -> (merge_requests) do
+            merge_requests.select { |mr| mr.source_project == project }
+          end
+          described_class.merge_requests_readable_by_user(
+            all_merge_requests, user,
+            filters: { read_cross_project: read_cross_project_filter }
+          )
+        end
+
+        it 'returns only MRs of the specified project without checking access on others' do
+          expect(described_class).not_to receive(:allowed?).with(user, :read_merge_request, cross_project_merge_request)
+
+          expect(readable_merge_requests).to contain_exactly(merge_request)
+        end
+      end
+    end
+  end
+
  describe '.issues_readable_by_user' do
    context 'with an admin user' do
      it 'returns all given issues' do
@@ -250,6 +322,29 @@ describe Ability do
        expect(issues).to eq([visible_issue])
      end
    end
+
+    context 'when the user cannot read cross project' do
+      let(:user) { create(:user) }
+      let(:issue) { create(:issue) }
+      let(:other_project_issue) { create(:issue) }
+      let(:project) { issue.project }
+
+      before do
+        project.add_developer(user)
+
+        allow(described_class).to receive(:allowed?).and_call_original
+        allow(described_class).to receive(:allowed?).with(user, :read_cross_project, any_args) { false }
+      end
+
+      it 'excludes issues from other projects whithout checking separatly when passing a scope' do
+        expect(described_class).not_to receive(:allowed?).with(user, :read_issue, other_project_issue)
+
+        filters = { read_cross_project: -> (issues) { issues.where(project: project) } }
+        result = described_class.issues_readable_by_user(Issue.all, user, filters: filters)
+
+        expect(result).to contain_exactly(issue)
+      end
+    end
  end
  
  describe '.project_disabled_features_rules' do

--- a/spec/models/concerns/protected_ref_access_spec.rb
+++ b/spec/models/concerns/protected_ref_access_spec.rb
+require 'spec_helper'
+
+describe ProtectedRefAccess do
+  subject(:protected_ref_access) do
+    create(:protected_branch, :masters_can_push).push_access_levels.first
+  end
+
+  let(:project) { protected_ref_access.project }
+
+  describe '#check_access' do
+    it 'is always true for admins' do
+      admin = create(:admin)
+
+      expect(protected_ref_access.check_access(admin)).to be_truthy
+    end
+
+    it 'is true for masters' do
+      master = create(:user)
+      project.add_master(master)
+
+      expect(protected_ref_access.check_access(master)).to be_truthy
+    end
+
+    it 'is for developers of the project' do
+      developer = create(:user)
+      project.add_developer(developer)
+
+      expect(protected_ref_access.check_access(developer)).to be_falsy
+    end
+  end
+end
--- a/spec/models/issue_spec.rb
+++ b/spec/models/issue_spec.rb
@@ -221,27 +221,55 @@ describe Issue do
  end
  
  describe '#referenced_merge_requests' do
-    it 'returns the referenced merge requests' do
-      project = create(:project, :public)
-
-      mr1 = create(:merge_request,
-                   source_project: project,
-                   source_branch:  'master',
-                   target_branch:  'feature')
+    let(:project) { create(:project, :public) }
+    let(:issue) do
+      create(:issue, description: merge_request.to_reference, project: project)
+    end
+    let!(:merge_request) do
+      create(:merge_request,
+             source_project: project,
+             source_branch:  'master',
+             target_branch:  'feature')
+    end
  
+    it 'returns the referenced merge requests' do
      mr2 = create(:merge_request,
                   source_project: project,
                   source_branch:  'feature',
                   target_branch:  'master')
  
-      issue = create(:issue, description: mr1.to_reference, project: project)
-
      create(:note_on_issue,
             noteable:   issue,
             note:       mr2.to_reference,
             project_id: project.id)
  
-      expect(issue.referenced_merge_requests).to eq([mr1, mr2])
+      expect(issue.referenced_merge_requests).to eq([merge_request, mr2])
+    end
+
+    it 'returns cross project referenced merge requests' do
+      other_project = create(:project, :public)
+      cross_project_merge_request = create(:merge_request, source_project: other_project)
+      create(:note_on_issue,
+             noteable:   issue,
+             note:       cross_project_merge_request.to_reference(issue.project),
+             project_id: issue.project.id)
+
+      expect(issue.referenced_merge_requests).to eq([merge_request, cross_project_merge_request])
+    end
+
+    it 'excludes cross project references if the user cannot read cross project' do
+      user = create(:user)
+      allow(Ability).to receive(:allowed?).and_call_original
+      expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+      other_project = create(:project, :public)
+      cross_project_merge_request = create(:merge_request, source_project: other_project)
+      create(:note_on_issue,
+             noteable:   issue,
+             note:       cross_project_merge_request.to_reference(issue.project),
+             project_id: issue.project.id)
+
+      expect(issue.referenced_merge_requests(user)).to eq([merge_request])
    end
  end
  
@@ -309,7 +337,7 @@ describe Issue do
  end
  
  describe '#related_branches' do
-    let(:user) { build(:admin) }
+    let(:user) { create(:admin) }
  
    before do
      allow(subject.project.repository).to receive(:branch_names)

--- a/spec/models/notification_recipient_spec.rb
+++ b/spec/models/notification_recipient_spec.rb
+require 'spec_helper'
+
+describe NotificationRecipient do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, namespace: user.namespace) }
+  let(:target) { create(:issue, project: project) }
+
+  subject(:recipient) { described_class.new(user, :watch, target: target, project: project) }
+
+  it 'denies access to a target when cross project access is denied' do
+    allow(Ability).to receive(:allowed?).and_call_original
+    expect(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(false)
+
+    expect(recipient.has_access?).to be_falsy
+  end
+end
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -1473,6 +1473,13 @@ describe Project do
  
      expect(project.user_can_push_to_empty_repo?(user)).to be_truthy
    end
+
+    it 'returns false when the repo is not empty' do
+      project.add_master(user)
+      expect(project).to receive(:empty_repo?).and_return(false)
+
+      expect(project.user_can_push_to_empty_repo?(user)).to be_falsey
+    end
  end
  
  describe '#container_registry_url' do

--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
 require 'spec_helper'
  
 describe IssuablePolicy, models: true do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :public) }
+  let(:issue) { create(:issue, project: project) }
+  let(:policies) { described_class.new(user, issue) }
+
  describe '#rules' do
    context 'when discussion is locked for the issuable' do
-      let(:user) { create(:user) }
-      let(:project) { create(:project, :public) }
      let(:issue) { create(:issue, project: project, discussion_locked: true) }
-      let(:policies) { described_class.new(user, issue) }
  
      context 'when the user is not a project member' do
        it 'can not create a note' do

--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -30,41 +30,41 @@ describe IssuePolicy do
    end
  
    it 'does not allow non-members to read issues' do
-      expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(non_member, issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(non_member, issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
    end
  
    it 'allows guests to read issues' do
-      expect(permissions(guest, issue)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue)
  
-      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
    it 'allows reporters to read, update, and admin issues' do
-      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
    end
  
    it 'allows reporters from group links to read, update, and admin issues' do
-      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
    end
  
    it 'allows issue authors to read and update their issues' do
-      expect(permissions(author, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
      expect(permissions(author, issue)).to be_disallowed(:admin_issue)
  
-      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
    it 'allows issue assignees to read and update their issues' do
-      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
      expect(permissions(assignee, issue)).to be_disallowed(:admin_issue)
  
-      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
@@ -73,37 +73,37 @@ describe IssuePolicy do
      let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
  
      it 'does not allow non-members to read confidential issues' do
-        expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(non_member, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(non_member, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'does not allow guests to read confidential issues' do
-        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows reporters to read, update, and admin confidential issues' do
-        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows reporters from group links to read, update, and admin confidential issues' do
-        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows issue authors to read and update their confidential issues' do
-        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
        expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue)
  
-        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows issue assignees to read and update their confidential issues' do
-        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
        expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue)
  
-        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
    end
  end
@@ -123,36 +123,36 @@ describe IssuePolicy do
    end
  
    it 'allows guests to read issues' do
-      expect(permissions(guest, issue)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(guest, issue)).to be_disallowed(:update_issue, :admin_issue)
  
-      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(guest, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(guest, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
    it 'allows reporters to read, update, and admin issues' do
-      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
    end
  
    it 'allows reporters from group links to read, update, and admin issues' do
-      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+      expect(permissions(reporter_from_group_link, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
    end
  
    it 'allows issue authors to read and update their issues' do
-      expect(permissions(author, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(author, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
      expect(permissions(author, issue)).to be_disallowed(:admin_issue)
  
-      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(author, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(author, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
    it 'allows issue assignees to read and update their issues' do
-      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :update_issue)
+      expect(permissions(assignee, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
      expect(permissions(assignee, issue)).to be_disallowed(:admin_issue)
  
-      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue)
+      expect(permissions(assignee, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid)
      expect(permissions(assignee, issue_no_assignee)).to be_disallowed(:update_issue, :admin_issue)
    end
  
@@ -161,32 +161,32 @@ describe IssuePolicy do
      let(:confidential_issue_no_assignee) { create(:issue, :confidential, project: project) }
  
      it 'does not allow guests to read confidential issues' do
-        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(guest, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows reporters to read, update, and admin confidential issues' do
-        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows reporter from group links to read, update, and admin confidential issues' do
-        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :update_issue, :admin_issue)
-        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
+        expect(permissions(reporter_from_group_link, confidential_issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows issue authors to read and update their confidential issues' do
-        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(author, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
        expect(permissions(author, confidential_issue)).to be_disallowed(:admin_issue)
  
-        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(author, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
  
      it 'allows issue assignees to read and update their confidential issues' do
-        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :update_issue)
+        expect(permissions(assignee, confidential_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue)
        expect(permissions(assignee, confidential_issue)).to be_disallowed(:admin_issue)
  
-        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :update_issue, :admin_issue)
+        expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue)
      end
    end
  end

--- a/spec/services/merge_requests/create_from_issue_service_spec.rb
+++ b/spec/services/merge_requests/create_from_issue_service_spec.rb
@@ -24,7 +24,7 @@ describe MergeRequests::CreateFromIssueService do
    end
  
    it 'delegates issue search to IssuesFinder' do
-      expect_any_instance_of(IssuesFinder).to receive(:execute).once.and_call_original
+      expect_any_instance_of(IssuesFinder).to receive(:find_by).once.and_call_original
  
      described_class.new(project, user, issue_iid: -1).execute
    end

--- a/spec/services/todo_service_spec.rb
+++ b/spec/services/todo_service_spec.rb
@@ -943,7 +943,8 @@ describe TodoService do
  
      described_class.new.mark_todos_as_done_by_ids(todo, john_doe)
  
-      expect_any_instance_of(TodosFinder).not_to receive(:execute)
+      # Make sure no TodosFinder is inialized to perform counting
+      expect(TodosFinder).not_to receive(:new)
  
      expect(john_doe.todos_done_count).to eq(1)
      expect(john_doe.todos_pending_count).to eq(1)

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -185,6 +185,14 @@ RSpec.configure do |config|
  config.around(:each, :postgresql) do |example|
    example.run if Gitlab::Database.postgresql?
  end
+
+  # This makes sure the `ApplicationController#can?` method is stubbed with the
+  # original implementation for all view specs.
+  config.before(:each, type: :view) do
+    allow(view).to receive(:can?) do |*args|
+      Ability.allowed?(*args)
+    end
+  end
 end
  
 # add simpler way to match asset paths containing digest strings

--- a/spec/support/snippet_visibility.rb
+++ b/spec/support/snippet_visibility.rb
@@ -252,6 +252,15 @@ RSpec.shared_examples 'snippet visibility' do
          results = described_class.new(user).execute
          expect(results.include?(snippet)).to eq(outcome)
        end
+
+        it 'returns no snippets when the user cannot read cross project' do
+          allow(Ability).to receive(:allowed?).and_call_original
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+          snippets = described_class.new(user).execute
+
+          expect(snippets).to be_empty
+        end
      end
    end
  end
@@ -298,6 +307,15 @@ RSpec.shared_examples 'snippet visibility' do
          results = described_class.new(user).execute
          expect(results.include?(snippet)).to eq(outcome)
        end
+
+        it 'should return personal snippets when the user cannot read cross project' do
+          allow(Ability).to receive(:allowed?).and_call_original
+          allow(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
+
+          results = described_class.new(user).execute
+
+          expect(results.include?(snippet)).to eq(outcome)
+        end
      end
    end
  end

--- a/spec/views/shared/projects/_project.html.haml_spec.rb
+++ b/spec/views/shared/projects/_project.html.haml_spec.rb
@@ -5,6 +5,7 @@ describe 'shared/projects/_project.html.haml' do
  
  before do
    allow(view).to receive(:current_application_settings).and_return(Gitlab::CurrentSettings.current_application_settings)
+    allow(view).to receive(:can?) { true }
  end
  
  it 'should render creator avatar if project has a creator' do