Restrict access to confidential issues on activity feed

9222459e · Douglas Barbosa Alexandre · 7d403ec4 · 9222459e · 9222459e · 9222459e
Commit 9222459e authored Mar 17, 2016 by Douglas Barbosa Alexandre
5 changed files
--- a/app/helpers/events_helper.rb
+++ b/app/helpers/events_helper.rb
@@ -194,7 +194,7 @@ module EventsHelper
  end
  def event_to_atom(xml, event)
-    if event.proper?
+    if event.proper?(current_user)
      xml.entry do
        event_link = event_feed_url(event)
        event_title = event_feed_title(event)

--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -73,15 +73,17 @@ class Event < ActiveRecord::Base
    end
  end
-  def proper?
+  def proper?(user = nil)
    if push?
      true
    elsif membership_changed?
      true
    elsif created_project?
      true
+    elsif issue?
+      Ability.abilities.allowed?(user, :read_issue, issue)
    else
-      ((issue? || merge_request? || note?) && target) || milestone?
+      ((merge_request? || note?) && target) || milestone?
    end
  end

--- a/app/views/events/_event.html.haml
+++ b/app/views/events/_event.html.haml
- if event.proper?
+- if event.proper?(current_user)
  .event-item{class: "#{event.body? ? "event-block" : "event-inline" }"}
    .event-item-timestamp
      #{time_ago_with_tooltip(event.created_at)}

--- a/features/steps/groups.rb
+++ b/features/steps/groups.rb
@@ -35,7 +35,7 @@ class Spinach::Features::Groups < Spinach::FeatureSteps
  end
  step 'I should see projects activity feed' do
-    expect(page).to have_content 'closed issue'
+    expect(page).to have_content 'joined project'
  end
  step 'I should see issues from group "Owned" assigned to me' do

--- a/spec/models/event_spec.rb
+++ b/spec/models/event_spec.rb
@@ -65,6 +65,42 @@ describe Event, models: true do
    it { expect(@event.author).to eq(@user) }
  end
+  describe '#proper?' do
+    context 'issue event' do
+      let(:project) { create(:empty_project, :public) }
+      let(:non_member) { create(:user) }
+      let(:member)  { create(:user) }
+      let(:author) { create(:author) }
+      let(:assignee) { create(:user) }
+      let(:admin) { create(:admin) }
+      let(:event) { Event.new(project: project, action: Event::CREATED, target: issue, author_id: author.id) }
+      before do
+        project.team << [member, :developer]
+      end
+      context 'for non confidential issues' do
+        let(:issue) { create(:issue, project: project, author: author, assignee: assignee) }
+        it { expect(event.proper?(non_member)).to eq true }
+        it { expect(event.proper?(author)).to eq true }
+        it { expect(event.proper?(assignee)).to eq true }
+        it { expect(event.proper?(member)).to eq true }
+        it { expect(event.proper?(admin)).to eq true }
+      end
+      context 'for confidential issues' do
+        let(:issue) { create(:issue, :confidential, project: project, author: author, assignee: assignee) }
+        it { expect(event.proper?(non_member)).to eq false }
+        it { expect(event.proper?(author)).to eq true }
+        it { expect(event.proper?(assignee)).to eq true }
+        it { expect(event.proper?(member)).to eq true }
+        it { expect(event.proper?(admin)).to eq true }
+      end
+    end
+  end
  describe '.limit_recent' do
    let!(:event1) { create(:closed_issue_event) }
    let!(:event2) { create(:closed_issue_event) }