From 7a8d0aab61fa5d59a4bde5330948f1adcfbb542c Mon Sep 17 00:00:00 2001
From: Mark Fletcher <mark@gitlab.com>
Date: Wed, 15 Feb 2017 18:54:18 +0530
Subject: [PATCH] Ensure only commit comments relevant to target project are
 returned

---
 ...-commit-comments-are-shared-across-projects.yml |  4 ++++
 lib/api/commits.rb                                 |  2 +-
 spec/requests/api/commits_spec.rb                  | 14 ++++++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/27873-when-a-commit-appears-in-several-projects-commit-comments-are-shared-across-projects.yml

diff --git a/changelogs/unreleased/27873-when-a-commit-appears-in-several-projects-commit-comments-are-shared-across-projects.yml b/changelogs/unreleased/27873-when-a-commit-appears-in-several-projects-commit-comments-are-shared-across-projects.yml
new file mode 100644
index 00000000000..89e2bdc69bc
--- /dev/null
+++ b/changelogs/unreleased/27873-when-a-commit-appears-in-several-projects-commit-comments-are-shared-across-projects.yml
@@ -0,0 +1,4 @@
+---
+title: Only return target project's comments for a commit
+merge_request:
+author:
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 2fefe760d24..173083d0ade 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -114,7 +114,7 @@ module API
         commit = user_project.commit(params[:sha])
 
         not_found! 'Commit' unless commit
-        notes = Note.where(commit_id: commit.id).order(:created_at)
+        notes = user_project.notes.where(commit_id: commit.id).order(:created_at)
 
         present paginate(notes), with: Entities::CommitNote
       end
diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index af9028a8978..cb11cf98bf4 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -464,6 +464,20 @@ describe API::Commits, api: true  do
         expect(response).to have_http_status(401)
       end
     end
+
+    context 'when the commit is present on two projects' do
+      let(:forked_project) { create(:project, :repository, creator: user2, namespace: user2.namespace) }
+      let!(:forked_project_note) { create(:note_on_commit, author: user2, project: forked_project, commit_id: forked_project.repository.commit.id, note: 'a comment on a commit for fork') }
+
+      it 'returns the comments for the target project' do
+        get api("/projects/#{forked_project.id}/repository/commits/#{forked_project.repository.commit.id}/comments", user2)
+
+        expect(response).to have_http_status(200)
+        expect(json_response.length).to eq(1)
+        expect(json_response.first['note']).to eq('a comment on a commit for fork')
+        expect(json_response.first['author']['id']).to eq(user2.id)
+      end
+    end
   end
 
   describe 'POST :id/repository/commits/:sha/cherry_pick' do
-- 
GitLab