Use group ancestors instead of descendants

- Update project milestones spec to use ancestors
groups

doc/api/milestones.md

@@ -28,11 +28,11 @@ Parameters:
 | Attribute                    | Type   | Required | Description |
 | ---------------------------- | ------ | -------- | ----------- |
 | `id`                         | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
-| `iids[]`                     | integer array | optional | Return only the milestones having the given `iid` |
+| `iids[]`                     | integer array | optional | Return only the milestones having the given `iid`. Will be ignored if `include_parent_milestones` is set to `true` |
 | `state`                      | string | optional | Return only `active` or `closed` milestones |
 | `title`                      | string | optional | Return only the milestones having the given `title` |
 | `search`                     | string | optional | Return only milestones with a title or description matching the provided string |
-| `include_parent_milestones`  | boolean | optional | Include milestones from parent group and descendants |
+| `include_parent_milestones`  | boolean | optional | Include milestones from parent group and ancestors. Introduced in [GitLab 13.2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/36944) |
 
 ```shell
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/milestones"

lib/api/milestone_responses.rb

@@ -100,32 +100,23 @@ module API
         end
 
         def milestones_finder_params(parent)
-          finder_params = {}
-
           if parent.is_a?(Group)
-            finder_params[:group_ids] = parent.id
+            { group_ids: parent.id }
           else
-            finder_params[:project_ids] = parent.id
-            finder_params[:group_ids] = parent_group_ids(parent)
+            {
+              project_ids: parent.id,
+              group_ids: parent_group_ids(parent)
+            }
           end
-
-          finder_params
         end
 
         def parent_group_ids(parent)
           return unless params[:include_parent_milestones].present?
-          return unless can_read_parent_group?(parent)
 
-          parent.group.self_and_descendants
+          parent.group.self_and_ancestors
                       .public_or_visible_to_user(current_user)
                       .select(:id)
         end
-
-        def can_read_parent_group?(parent)
-          return unless parent&.group&.present?
-
-          Ability.allowed?(current_user, :read_group, parent.group)
-        end
       end
     end
   end

lib/api/project_milestones.rb

@@ -17,7 +17,7 @@ module API
       params do
         use :list_params
         optional :include_parent_milestones, type: Boolean, default: false,
-                  desc: 'Include milestones from parent group and descendants'
+                  desc: 'Include milestones from parent group and ancestors'
       end
       get ":id/milestones" do
         authorize! :read_milestone, user_project

spec/requests/api/project_milestones_spec.rb

@@ -3,10 +3,10 @@
 require 'spec_helper'
 
 RSpec.describe API::ProjectMilestones do
-  let(:user) { create(:user) }
-  let!(:project) { create(:project, namespace: user.namespace ) }
-  let!(:closed_milestone) { create(:closed_milestone, project: project, title: 'version1', description: 'closed milestone') }
-  let!(:milestone) { create(:milestone, project: project, title: 'version2', description: 'open milestone') }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:project) { create(:project, namespace: user.namespace ) }
+  let_it_be(:closed_milestone) { create(:closed_milestone, project: project, title: 'version1', description: 'closed milestone') }
+  let_it_be(:milestone) { create(:milestone, project: project, title: 'version2', description: 'open milestone') }
 
   before do
     project.add_developer(user)
@@ -18,45 +18,52 @@ RSpec.describe API::ProjectMilestones do
 
   describe 'GET /projects/:id/milestones' do
     context 'when include_parent_milestones is true' do
-      let(:group) { create(:group, :public) }
-      let(:project) { create(:project, group: group) }
-      let!(:group_milestone) { create(:milestone, group: group) }
+      let_it_be(:group) { create(:group, :public) }
+      let_it_be(:child_group) { create(:group, :public, parent: group) }
+      let_it_be(:child_project) { create(:project, group: child_group) }
+      let_it_be(:project_milestone) { create(:milestone, project: child_project) }
+      let_it_be(:group_milestone) { create(:milestone, group: group) }
+      let_it_be(:child_group_milestone) { create(:milestone, group: child_group) }
 
-      context 'when user has access to group parent' do
-        let(:nested_group) { create(:group, :public, parent: group) }
-        let!(:nested_group_milestone) { create(:milestone, group: nested_group) }
+      before do
+        child_project.add_developer(user)
+      end
 
-        it 'result includes parent group and subgroup milestones' do
-          milestones = [nested_group_milestone, group_milestone, milestone, closed_milestone]
+      it 'includes parent groups milestones' do
+        milestones = [child_group_milestone, group_milestone, project_milestone]
 
-          get api("/projects/#{project.id}/milestones", user),
+        get api("/projects/#{child_project.id}/milestones", user),
             params: { include_parent_milestones: true }
 
         expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response.size).to eq(4)
-
+        expect(json_response.size).to eq(3)
         expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
       end
+
+      context 'when user has no access to an ancestor group' do
+        before do
+          [child_group, group].each do |group|
+            group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+          end
         end
 
-      context 'when user has no access to group parent' do
-        it 'does not show parent group milestones' do
-          allow(Ability).to receive(:allowed?).and_call_original
-          allow(Ability).to receive(:allowed?).with(user, :read_group, group).and_return(false)
+        it 'does not show ancestor group milestones' do
+          milestones = [child_group_milestone, project_milestone]
 
-          get api("/projects/#{project.id}/milestones", user),
+          get api("/projects/#{child_project.id}/milestones", user),
               params: { include_parent_milestones: true }
 
           expect(response).to have_gitlab_http_status(:ok)
           expect(json_response.size).to eq(2)
+          expect(json_response.map { |entry| entry["id"] }).to eq(milestones.map(&:id))
         end
       end
 
       context 'when filtering by iids' do
-        it 'does not filer by iids' do
-          milestones = [group_milestone, milestone, closed_milestone]
+        it 'does not filter by iids' do
+          milestones = [child_group_milestone, group_milestone, project_milestone]
 
-          get api("/projects/#{project.id}/milestones", user),
+          get api("/projects/#{child_project.id}/milestones", user),
               params: { include_parent_milestones: true, iids: [group_milestone.iid] }
 
           expect(response).to have_gitlab_http_status(:ok)