Mentions on confidential issues doesn't create todos for non-members

CHANGELOG

@@ -14,6 +14,9 @@ v 8.7.0 (unreleased)
   - Implement 'TODOs View' as an option for dashboard preferences !3379 (Elias W.)
   - Gracefully handle notes on deleted commits in merge requests (Stan Hu)
 
+v 8.6.3 (unreleased)
+  - Mentions on confidential issues doesn't create todos for non-members
+
 v 8.6.2
   - Fix dropdown alignment. !3298
   - Fix issuable sidebar overlaps on tablet. !3299

app/services/todo_service.rb

@@ -170,14 +170,30 @@ class TodoService
   end
 
   def filter_mentioned_users(project, target, author)
-    mentioned_users = target.mentioned_users.select do |user|
-      user.can?(:read_project, project)
-    end
-
+    mentioned_users = target.mentioned_users
+    mentioned_users = reject_users_without_access(mentioned_users, project, target)
     mentioned_users.delete(author)
     mentioned_users.uniq
   end
 
+  def reject_users_without_access(users, project, target)
+    if target.is_a?(Note) && target.for_issue?
+      target = target.noteable
+    end
+
+    if target.is_a?(Issue)
+      select_users(users, :read_issue, target)
+    else
+      select_users(users, :read_project, project)
+    end
+  end
+
+  def select_users(users, ability, subject)
+    users.select do |user|
+      user.can?(ability.to_sym, subject)
+    end
+  end
+
   def pending_todos(user, criteria = {})
     valid_keys = [:project_id, :target_id, :target_type, :commit_id]
     user.todos.pending.where(criteria.slice(*valid_keys))