Show referenced MR in issues only when the current viewer can access it

75d41a36 · Rémy Coutable · c4511a12 · 75d41a36 · 75d41a36 · 75d41a36
Commit 75d41a36 authored 9 years ago by Rémy Coutable
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -38,6 +38,7 @@ v 8.4.0 (unreleased)
  - Ajax filter by message for commits page
  - API: Add support for deleting a tag via the API (Robert Schilling)
  - Allow subsequent validations in CI Linter
+  - Show referenced MR in issues only when the current viewer can access it
  
 v 8.3.3
  - Preserve CE behavior with JIRA integration by only calling API if URL is set

--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController
    @note = @project.notes.new(noteable: @issue)
    @notes = @issue.notes.nonawards.with_associations.fresh
    @noteable = @issue
-    @merge_requests = @issue.referenced_merge_requests
+    @merge_requests = @issue.referenced_merge_requests(current_user)
  
    respond_with(@issue)
  end

--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base
    reference
  end
  
-  def referenced_merge_requests
+  def referenced_merge_requests(current_user = nil)
    Gitlab::ReferenceExtractor.lazily do
      [self, *notes].flat_map do |note|
-        note.all_references.merge_requests
+        note.all_references(current_user).merge_requests
      end
    end.sort_by(&:iid)
  end

--- a/features/project/merge_requests/notes.feature
+++ b/features/project/merge_requests/notes.feature
+@project_merge_requests
+Feature: Project Merge Requests Notes
+  Background:
+    Given I sign in as "Mary Jane"
+    And I own public project "Public Shop"
+    And project "Public Shop" has "Public Issue 01" open issue
+    And I logout
+    And I sign in as "John Doe"
+    And I own private project "Private Library"
+    And project "Private Library" has "Private MR 01" open merge request
+    And I visit merge request page "Private MR 01"
+    And I leave a comment with link to issue "Public Issue 01"
+    And I logout
+
+  @javascript
+  Scenario: Viewing the public issue as a lambda user
+    Given I sign in as "Mary Jane"
+    When I visit issue page "Public Issue 01"
+    Then I should not see any related merge requests
+
+  @javascript
+  Scenario: Viewing the public issue as "John Doe"
+    Given I sign in as "John Doe"
+    When I visit issue page "Public Issue 01"
+    Then I should see the "Private MR 01" related merge request
--- a/features/steps/project/merge_requests/notes.rb
+++ b/features/steps/project/merge_requests/notes.rb
+class Spinach::Features::ProjectMergeRequestsNotes < Spinach::FeatureSteps
+  include SharedAuthentication
+  include SharedUser
+
+  step 'I own public project "Public Shop"' do
+    project = create :project, :public, name: 'Public Shop', namespace: current_user.namespace
+    project.team << [current_user, :master]
+  end
+
+  step 'project "Public Shop" has "Public Issue 01" open issue' do
+    project = Project.find_by(name: 'Public Shop')
+
+    create(:issue,
+           title: 'Public Issue 01',
+           project: project,
+           author: current_user,
+           description: '# Description header'
+          )
+  end
+
+  step 'I own private project "Private Library"' do
+    project = create :project, name: 'Private Library', namespace: current_user.namespace
+    project.team << [current_user, :master]
+  end
+
+  step 'project "Private Library" has "Private MR 01" open merge request' do
+    project = Project.find_by!(name: 'Private Library')
+
+    create(:merge_request,
+           title: 'Private MR 01',
+           source_project: project,
+           target_project: project,
+           source_branch: 'fix',
+           target_branch: 'master',
+           author: current_user,
+           description: '# Description header'
+          )
+  end
+
+  step 'I visit merge request page "Private MR 01"' do
+    mr = MergeRequest.find_by(title: "Private MR 01")
+    visit namespace_project_merge_request_path(mr.target_project.namespace, mr.target_project, mr)
+  end
+
+  step 'I leave a comment with link to issue "Public Issue 01"' do
+    issue = Issue.find_by!(title: 'Public Issue 01')
+
+    page.within(".js-main-target-form") do
+      fill_in "note[note]", with: namespace_project_issue_url(issue.project.namespace, issue.project, issue)
+      click_button "Add Comment"
+    end
+  end
+
+  step 'I visit issue page "Public Issue 01"' do
+    issue = Issue.find_by(title: "Public Issue 01")
+    visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
+  end
+
+  step 'I should not see any related merge requests' do
+    page.within '.issue-details' do
+      expect(page).not_to have_content('.merge-requests')
+    end
+  end
+
+  step 'I should see the "Private MR 01" related merge request' do
+    page.within '.merge-requests' do
+      expect(page).to have_content("1 Related Merge Request")
+      expect(page).to have_content("Private MR 01")
+    end
+  end
+end