Fix filtering project MRs by environments

The project endpoint for obtaining the list of available environment
names required the user to be logged in, preventing anonymous users from
using the "Environment" filter.

app/controllers/projects_controller.rb

@@ -15,7 +15,7 @@ class ProjectsController < Projects::ApplicationController
   around_action :allow_gitaly_ref_name_caching, only: [:index, :show]
 
   before_action :whitelist_query_limiting, only: [:create]
-  before_action :authenticate_user!, except: [:index, :show, :activity, :refs, :resolve]
+  before_action :authenticate_user!, except: [:index, :show, :activity, :refs, :resolve, :unfoldered_environment_names]
   before_action :redirect_git_extension, only: [:show]
   before_action :project, except: [:index, :new, :create, :resolve]
   before_action :repository, except: [:index, :new, :create, :resolve]

app/finders/environment_names_finder.rb

@@ -13,7 +13,7 @@
 class EnvironmentNamesFinder
   attr_reader :project_or_group, :current_user
 
-  def initialize(project_or_group, current_user)
+  def initialize(project_or_group, current_user = nil)
     @project_or_group = project_or_group
     @current_user = current_user
   end
@@ -38,7 +38,7 @@ class EnvironmentNamesFinder
   end
 
   def project_environments
-    if current_user.can?(:read_environment, project_or_group)
+    if Ability.allowed?(current_user, :read_environment, project_or_group)
       project_or_group.environments
     else
       Environment.none

spec/controllers/groups_controller_spec.rb

@@ -1213,4 +1213,60 @@ RSpec.describe GroupsController, factory_default: :keep do
       it_behaves_like 'disabled when using an external authorization service'
     end
   end
+
+  describe 'GET #unfoldered_environment_names' do
+    it 'shows the environment names of a public project to an anonymous user' do
+      public_project = create(:project, :public, namespace: group)
+
+      create(:environment, project: public_project, name: 'foo')
+
+      get(
+        :unfoldered_environment_names,
+        params: { id: group, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to eq(%w[foo])
+    end
+
+    it 'does not show environment names of private projects to anonymous users' do
+      create(:environment, project: project, name: 'foo')
+
+      get(
+        :unfoldered_environment_names,
+        params: { id: group, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to be_empty
+    end
+
+    it 'shows environment names of a private project to a group member' do
+      create(:environment, project: project, name: 'foo')
+      sign_in(developer)
+
+      get(
+        :unfoldered_environment_names,
+        params: { id: group, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to eq(%w[foo])
+    end
+
+    it 'does not show environment names of private projects to a logged-in non-member' do
+      alice = create(:user)
+
+      create(:environment, project: project, name: 'foo')
+      sign_in(alice)
+
+      get(
+        :unfoldered_environment_names,
+        params: { id: group, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to be_empty
+    end
+  end
 end

spec/controllers/projects_controller_spec.rb

@@ -1437,4 +1437,55 @@ RSpec.describe ProjectsController do
   def project_moved_message(redirect_route, project)
     "Project '#{redirect_route.path}' was moved to '#{project.full_path}'. Please update any links and bookmarks that may still have the old path."
   end
+
+  describe 'GET #unfoldered_environment_names' do
+    it 'shows the environment names of a public project to an anonymous user' do
+      create(:environment, project: public_project, name: 'foo')
+
+      get(
+        :unfoldered_environment_names,
+        params: { namespace_id: public_project.namespace, id: public_project, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to eq(%w[foo])
+    end
+
+    it 'does not show environment names of a private project to anonymous users' do
+      create(:environment, project: project, name: 'foo')
+
+      get(
+        :unfoldered_environment_names,
+        params: { namespace_id: project.namespace, id: project, format: :json }
+      )
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
+
+    it 'shows environment names of a private project to a project member' do
+      create(:environment, project: project, name: 'foo')
+      project.add_developer(user)
+      sign_in(user)
+
+      get(
+        :unfoldered_environment_names,
+        params: { namespace_id: project.namespace, id: project, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to eq(%w[foo])
+    end
+
+    it 'does not show environment names of a private project to a logged-in non-member' do
+      create(:environment, project: project, name: 'foo')
+      sign_in(user)
+
+      get(
+        :unfoldered_environment_names,
+        params: { namespace_id: project.namespace, id: project, format: :json }
+      )
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
 end

spec/finders/environment_names_finder_spec.rb

@@ -59,5 +59,21 @@ RSpec.describe EnvironmentNamesFinder do
         expect(names).to be_empty
       end
     end
+
+    context 'using a public project without a user' do
+      it 'returns all the unique environment names' do
+        names = described_class.new(project1).execute
+
+        expect(names).to eq(%w[gprd gstg])
+      end
+    end
+
+    context 'using a private project without a user' do
+      it 'does not return any environment names' do
+        names = described_class.new(project2).execute
+
+        expect(names).to eq([])
+      end
+    end
   end
 end