Merge branch 'fix-comments-on-confidential-issues-show-activity-feed-for-non-members' into 'master'

Comments on confidential issues doesn't show in activity feed to non-members Closes #14568 See merge request !3375

Merge branch 'fix-comments-on-confidential-issues-show-activity-feed-for-non-members' into 'master'
Comments on confidential issues doesn't show in activity feed to non-members Closes #14568 See merge request !3375
30030141 · Douwe Maan · Rémy Coutable · 62600ec3 · 30030141 · 30030141
Commit 30030141 authored Mar 24, 2016 by Douwe Maan Committed by Rémy Coutable Mar 29, 2016
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ v 8.6.2
  - Fix bold text in issuable sidebar. !3358
  - Fix error with anonymous token in applications settings. !3362
  - Fix the milestone 'upcoming' filter. !3364
+  - Fix comments on confidential issues showing up in activity feed to non-members. !3375
 v 8.6.1
  - Add option to reload the schema before restoring a database backup. !2807

--- a/app/helpers/events_helper.rb
+++ b/app/helpers/events_helper.rb
@@ -194,7 +194,7 @@ module EventsHelper
  end
  def event_to_atom(xml, event)
-    if event.proper?(current_user)
+    if event.visible_to_user?(current_user)
      xml.entry do
        event_link = event_feed_url(event)
        event_title = event_feed_title(event)

--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -73,15 +73,15 @@ class Event < ActiveRecord::Base
    end
  end
-  def proper?(user = nil)
+  def visible_to_user?(user = nil)
    if push?
      true
    elsif membership_changed?
      true
    elsif created_project?
      true
-    elsif issue?
+    elsif issue? || issue_note?
-      Ability.abilities.allowed?(user, :read_issue, issue)
+      Ability.abilities.allowed?(user, :read_issue, note? ? note_target : target)
    else
      ((merge_request? || note?) && target) || milestone?
    end
@@ -298,6 +298,10 @@ class Event < ActiveRecord::Base
    target.noteable_type == "Commit"
  end
+  def issue_note?
+    note? && target && target.noteable_type == "Issue"
+  end
  def note_project_snippet?
    target.noteable_type == "Snippet"
  end

--- a/app/views/events/_event.html.haml
+++ b/app/views/events/_event.html.haml
- if event.proper?(current_user)
+- if event.visible_to_user?(current_user)
  .event-item{class: "#{event.body? ? "event-block" : "event-inline" }"}
    .event-item-timestamp
      #{time_ago_with_tooltip(event.created_at)}

--- a/spec/models/event_spec.rb
+++ b/spec/models/event_spec.rb
@@ -59,44 +59,70 @@ describe Event, models: true do
    end
    it { expect(@event.push?).to be_truthy }
-    it { expect(@event.proper?).to be_truthy }
+    it { expect(@event.visible_to_user?).to be_truthy }
    it { expect(@event.tag?).to be_falsey }
    it { expect(@event.branch_name).to eq("master") }
    it { expect(@event.author).to eq(@user) }
  end
-  describe '#proper?' do
+  describe '#visible_to_user?' do
-    context 'issue event' do
+    let(:project) { create(:empty_project, :public) }
-      let(:project) { create(:empty_project, :public) }
+    let(:non_member) { create(:user) }
-      let(:non_member) { create(:user) }
+    let(:member)  { create(:user) }
-      let(:member)  { create(:user) }
+    let(:author) { create(:author) }
-      let(:author) { create(:author) }
+    let(:assignee) { create(:user) }
-      let(:assignee) { create(:user) }
+    let(:admin) { create(:admin) }
-      let(:admin) { create(:admin) }
+    let(:issue) { create(:issue, project: project, author: author, assignee: assignee) }
-      let(:event) { Event.new(project: project, action: Event::CREATED, target: issue, author_id: author.id) }
+    let(:confidential_issue) { create(:issue, :confidential, project: project, author: author, assignee: assignee) }
+    let(:note_on_issue) { create(:note_on_issue, noteable: issue, project: project) }
-      before do
+    let(:note_on_confidential_issue) { create(:note_on_issue, noteable: confidential_issue, project: project) }
-        project.team << [member, :developer]
+    let(:event) { Event.new(project: project, target: target, author_id: author.id) }
-      end
+    before do
+      project.team << [member, :developer]
+    end
+    context 'issue event' do
      context 'for non confidential issues' do
-        let(:issue) { create(:issue, project: project, author: author, assignee: assignee) }
+        let(:target) { issue }
-        it { expect(event.proper?(non_member)).to eq true }
+        it { expect(event.visible_to_user?(non_member)).to eq true }
-        it { expect(event.proper?(author)).to eq true }
+        it { expect(event.visible_to_user?(author)).to eq true }
-        it { expect(event.proper?(assignee)).to eq true }
+        it { expect(event.visible_to_user?(assignee)).to eq true }
-        it { expect(event.proper?(member)).to eq true }
+        it { expect(event.visible_to_user?(member)).to eq true }
-        it { expect(event.proper?(admin)).to eq true }
+        it { expect(event.visible_to_user?(admin)).to eq true }
      end
      context 'for confidential issues' do
-        let(:issue) { create(:issue, :confidential, project: project, author: author, assignee: assignee) }
+        let(:target) { confidential_issue }
+        it { expect(event.visible_to_user?(non_member)).to eq false }
+        it { expect(event.visible_to_user?(author)).to eq true }
+        it { expect(event.visible_to_user?(assignee)).to eq true }
+        it { expect(event.visible_to_user?(member)).to eq true }
+        it { expect(event.visible_to_user?(admin)).to eq true }
+      end
+    end
+    context 'note event' do
+      context 'on non confidential issues' do
+        let(:target) { note_on_issue }
+        it { expect(event.visible_to_user?(non_member)).to eq true }
+        it { expect(event.visible_to_user?(author)).to eq true }
+        it { expect(event.visible_to_user?(assignee)).to eq true }
+        it { expect(event.visible_to_user?(member)).to eq true }
+        it { expect(event.visible_to_user?(admin)).to eq true }
+      end
+      context 'on confidential issues' do
+        let(:target) { note_on_confidential_issue }
-        it { expect(event.proper?(non_member)).to eq false }
+        it { expect(event.visible_to_user?(non_member)).to eq false }
-        it { expect(event.proper?(author)).to eq true }
+        it { expect(event.visible_to_user?(author)).to eq true }
-        it { expect(event.proper?(assignee)).to eq true }
+        it { expect(event.visible_to_user?(assignee)).to eq true }
-        it { expect(event.proper?(member)).to eq true }
+        it { expect(event.visible_to_user?(member)).to eq true }
-        it { expect(event.proper?(admin)).to eq true }
+        it { expect(event.visible_to_user?(admin)).to eq true }
      end
    end
  end