Commit 9d7f88c1 authored by Rémy Coutable's avatar Rémy Coutable

Show referenced MRs & Issues only when the current viewer can access them

parent c4511a12
...@@ -38,6 +38,7 @@ v 8.4.0 (unreleased) ...@@ -38,6 +38,7 @@ v 8.4.0 (unreleased)
- Ajax filter by message for commits page - Ajax filter by message for commits page
- API: Add support for deleting a tag via the API (Robert Schilling) - API: Add support for deleting a tag via the API (Robert Schilling)
- Allow subsequent validations in CI Linter - Allow subsequent validations in CI Linter
- Show referenced MRs & Issues only when the current viewer can access them
v 8.3.3 v 8.3.3
- Preserve CE behavior with JIRA integration by only calling API if URL is set - Preserve CE behavior with JIRA integration by only calling API if URL is set
......
...@@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController ...@@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController
@note = @project.notes.new(noteable: @issue) @note = @project.notes.new(noteable: @issue)
@notes = @issue.notes.nonawards.with_associations.fresh @notes = @issue.notes.nonawards.with_associations.fresh
@noteable = @issue @noteable = @issue
@merge_requests = @issue.referenced_merge_requests @merge_requests = @issue.referenced_merge_requests(current_user)
respond_with(@issue) respond_with(@issue)
end end
......
...@@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base ...@@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base
reference reference
end end
def referenced_merge_requests def referenced_merge_requests(current_user = nil)
Gitlab::ReferenceExtractor.lazily do Gitlab::ReferenceExtractor.lazily do
[self, *notes].flat_map do |note| [self, *notes].flat_map do |note|
note.all_references.merge_requests note.all_references(current_user).merge_requests
end end
end.sort_by(&:iid) end.sort_by(&:iid)
end end
......
...@@ -8,4 +8,5 @@ ...@@ -8,4 +8,5 @@
- else - else
- @notes.each do |note| - @notes.each do |note|
- next unless note.author - next unless note.author
- next if note.cross_reference? && note.referenced_mentionables(current_user).empty?
= render note = render note
@project_issues
Feature: Project Issues References
Background:
Given I sign in as "John Doe"
And "John Doe" owns public project "Community"
And project "Community" has "Public Issue 01" open issue
And I logout
And I sign in as "Mary Jane"
And "Mary Jane" owns private project "Private Library"
And project "Private Library" has "Fix NS-01" open merge request
And project "Private Library" has "Private Issue 01" open issue
And I visit merge request page "Fix NS-01"
And I leave a comment referencing issue "Public Issue 01" from "Fix NS-01" merge request
And I visit issue page "Private Issue 01"
And I leave a comment referencing issue "Public Issue 01" from "Private Issue 01" issue
And I logout
@javascript
Scenario: Viewing the public issue as a "John Doe"
Given I sign in as "John Doe"
When I visit issue page "Public Issue 01"
Then I should not see any related merge requests
And I should see no notes at all
@javascript
Scenario: Viewing the public issue as "Mary Jane"
Given I sign in as "Mary Jane"
When I visit issue page "Public Issue 01"
Then I should see the "Fix NS-01" related merge request
And I should see a note linking to "Fix NS-01" merge request
And I should see a note linking to "Private Issue 01" issue
class Spinach::Features::ProjectIssuesReferences < Spinach::FeatureSteps
include SharedAuthentication
include SharedNote
include SharedProject
include SharedUser
step 'project "Community" has "Public Issue 01" open issue' do
project = Project.find_by(name: 'Community')
create(:issue,
title: 'Public Issue 01',
project: project,
author: project.users.first,
description: '# Description header'
)
end
step 'project "Private Library" has "Fix NS-01" open merge request' do
project = Project.find_by(name: 'Private Library')
create(:merge_request,
title: 'Fix NS-01',
source_project: project,
target_project: project,
source_branch: 'fix',
target_branch: 'master',
author: project.users.first,
description: '# Description header'
)
end
step 'project "Private Library" has "Private Issue 01" open issue' do
project = Project.find_by(name: 'Private Library')
create(:issue,
title: 'Private Issue 01',
project: project,
author: project.users.first,
description: '# Description header'
)
end
step 'I leave a comment referencing issue "Public Issue 01" from "Fix NS-01" merge request' do
project = Project.find_by(name: 'Private Library')
issue = Issue.find_by!(title: 'Public Issue 01')
page.within(".js-main-target-form") do
fill_in "note[note]", with: "##{issue.to_reference(project)}"
click_button "Add Comment"
end
end
step 'I leave a comment referencing issue "Public Issue 01" from "Private Issue 01" issue' do
project = Project.find_by(name: 'Private Library')
issue = Issue.find_by!(title: 'Public Issue 01')
page.within(".js-main-target-form") do
fill_in "note[note]", with: "##{issue.to_reference(project)}"
click_button "Add Comment"
end
end
step 'I visit merge request page "Fix NS-01"' do
mr = MergeRequest.find_by(title: "Fix NS-01")
visit namespace_project_merge_request_path(mr.target_project.namespace, mr.target_project, mr)
end
step 'I visit issue page "Private Issue 01"' do
issue = Issue.find_by(title: "Private Issue 01")
visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
end
step 'I visit issue page "Public Issue 01"' do
issue = Issue.find_by(title: "Public Issue 01")
visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
end
step 'I should not see any related merge requests' do
page.within '.issue-details' do
expect(page).not_to have_content('.merge-requests')
end
end
step 'I should see the "Fix NS-01" related merge request' do
page.within '.merge-requests' do
expect(page).to have_content("1 Related Merge Request")
expect(page).to have_content('Fix NS-01')
end
end
step 'I should see a note linking to "Fix NS-01" merge request' do
project = Project.find_by(name: 'Community')
mr = MergeRequest.find_by(title: 'Fix NS-01')
page.within('.notes') do
expect(page).to have_content('Mary Jane')
expect(page).to have_content("mentioned in merge request #{mr.to_reference(project)}")
end
end
step 'I should see a note linking to "Private Issue 01" issue' do
project = Project.find_by(name: 'Community')
issue = Issue.find_by(title: 'Private Issue 01')
page.within('.notes') do
expect(page).to have_content('Mary Jane')
expect(page).to have_content("mentioned in issue #{issue.to_reference(project)}")
end
end
end
...@@ -106,6 +106,12 @@ module SharedNote ...@@ -106,6 +106,12 @@ module SharedNote
end end
end end
step 'I should see no notes at all' do
page.within('.notes') do
expect(page).to_not have_css('.note')
end
end
# Markdown # Markdown
step 'I leave a comment with a header containing "Comment with a header"' do step 'I leave a comment with a header containing "Comment with a header"' do
......
...@@ -181,6 +181,13 @@ module SharedProject ...@@ -181,6 +181,13 @@ module SharedProject
project.team << [user, :master] project.team << [user, :master]
end end
step '"Mary Jane" owns private project "Private Library"' do
user = user_exists('Mary Jane', username: 'mary_jane')
project = Project.find_by(name: 'Private Library')
project ||= create(:project, name: 'Private Library', namespace: user.namespace)
project.team << [user, :master]
end
step 'public empty project "Empty Public Project"' do step 'public empty project "Empty Public Project"' do
create :project_empty_repo, :public, name: "Empty Public Project" create :project_empty_repo, :public, name: "Empty Public Project"
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment