Fix scope to handle private guest permission

Guest are blocked to certain feature when project is private, therefore the scope would filter additionally with REPORTER level.

Fix scope to handle private guest permission
Guest are blocked to certain feature when project is private, therefore the scope would filter additionally with REPORTER level.
0de1bfea · Mark Chao · d5bfeee5 · 0de1bfea · 0de1bfea · 0de1bfea
Commit 0de1bfea authored Oct 22, 2019 by Mark Chao
Showing with 88 additions and 1 deletion

app/models/project.rb app/models/project.rb +7 -1

app/models/project_feature.rb app/models/project_feature.rb +7 -0

spec/models/project_spec.rb spec/models/project_spec.rb +74 -0

No files found.
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -517,7 +517,13 @@ class Project < ApplicationRecord
  # This scope returns projects where user has access to both the project and the feature.
  def self.filter_by_feature_visibility(feature, user)
-    with_feature_available_for_user(feature, user).public_or_visible_to_user(user)
+    scope = with_feature_available_for_user(feature, user)
+    if ProjectFeature.guest_allowed_on_private_project?(feature)
+      scope.public_or_visible_to_user(user)
+    else
+      scope.public_or_visible_to_user(user, Gitlab::Access::REPORTER)
+    end
  end
  scope :active, -> { joins(:issues, :notes, :merge_requests).order('issues.created_at, notes.created_at, merge_requests.created_at DESC') }

--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -24,6 +24,7 @@ class ProjectFeature < ApplicationRecord
  FEATURES = %i(issues merge_requests wiki snippets builds repository pages).freeze
  PRIVATE_FEATURES_MIN_ACCESS_LEVEL = { merge_requests: Gitlab::Access::REPORTER }.freeze
+  FEATURES_ALLOWED_BY_GUEST_ON_PRIVATE_PROJECT = %i(issues wiki).freeze
  STRING_OPTIONS = HashWithIndifferentAccess.new({
    'disabled' => DISABLED,
    'private'  => PRIVATE,
@@ -45,6 +46,12 @@ class ProjectFeature < ApplicationRecord
      "#{table}.#{attribute}"
    end
+    def guest_allowed_on_private_project?(feature)
+      feature = ensure_feature!(feature)
+      FEATURES_ALLOWED_BY_GUEST_ON_PRIVATE_PROJECT.include?(feature)
+    end
    def required_minimum_access_level(feature)
      feature = ensure_feature!(feature)

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -3411,6 +3411,20 @@ describe Project do
        expect(projects).to eq([public_project])
      end
    end
+    context 'min_access_level' do
+      let!(:private_project) { create(:project, :private) }
+      before do
+        private_project.add_guest(user)
+      end
+      it 'excludes projects when user does not have required minimum access level' do
+        projects = described_class.all.public_or_visible_to_user(user, Gitlab::Access::REPORTER)
+        expect(projects).to contain_exactly(public_project)
+      end
+    end
  end
  describe '.ids_with_issuables_available_for' do
@@ -3562,6 +3576,66 @@ describe Project do
        end
      end
    end
+    context 'issues' do
+      let(:feature) { Issue }
+      where(:project_level, :feature_access_level, :membership, :expected_count) do
+        permission_table_for_guest_feature_access
+      end
+      with_them do
+        it "respects visibility" do
+          update_feature_access_level(project, feature_access_level)
+          expected_objects = expected_count == 1 ? [project] : []
+          expect(
+            described_class.filter_by_feature_visibility(feature, user)
+          ).to eq(expected_objects)
+        end
+      end
+    end
+    context 'wiki' do
+      let(:feature) { :wiki }
+      where(:project_level, :feature_access_level, :membership, :expected_count) do
+        permission_table_for_guest_feature_access
+      end
+      with_them do
+        it "respects visibility" do
+          update_feature_access_level(project, feature_access_level)
+          expected_objects = expected_count == 1 ? [project] : []
+          expect(
+            described_class.filter_by_feature_visibility(feature, user)
+          ).to eq(expected_objects)
+        end
+      end
+    end
+    context 'code' do
+      let(:feature) { :repository }
+      where(:project_level, :feature_access_level, :membership, :expected_count) do
+        permission_table_for_guest_feature_access_and_non_private_project_only
+      end
+      with_them do
+        it "respects visibility" do
+          update_feature_access_level(project, feature_access_level)
+          expected_objects = expected_count == 1 ? [project] : []
+          expect(
+            described_class.filter_by_feature_visibility(feature, user)
+          ).to eq(expected_objects)
+        end
+      end
+    end
  end
  describe '#pages_available?' do