Filter milestone release by user access

Merge branch 'security-group-milestone-releases-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2537

Changelog: security

app/helpers/timeboxes_helper.rb

@@ -153,11 +153,11 @@ module TimeboxesHelper
     n_("%{releases} release", "%{releases} releases", count) % { releases: count }
   end
 
-  def recent_releases_with_counts(milestone)
+  def recent_releases_with_counts(milestone, user)
     total_count = milestone.releases.size
     return [[], 0, 0] if total_count == 0
 
-    recent_releases = milestone.releases.recent.to_a
+    recent_releases = milestone.releases.recent.filter { |release| Ability.allowed?(user, :read_release, release) }
     more_count = total_count - recent_releases.size
     [recent_releases, total_count, more_count]
   end

app/views/shared/milestones/_milestone.html.haml

@@ -14,7 +14,7 @@
       - if milestone.due_date || milestone.start_date
         .text-tertiary.gl-mb-2
           = milestone_date_range(milestone)
-      - recent_releases, total_count, more_count = recent_releases_with_counts(milestone)
+      - recent_releases, total_count, more_count = recent_releases_with_counts(milestone, current_user)
       - unless total_count == 0
         .text-tertiary.gl-mb-2.milestone-release-links
           = sprite_icon("rocket", size: 12)

app/views/shared/milestones/_sidebar.html.haml

@@ -138,7 +138,7 @@
               = milestone.merge_requests.merged.count
 
     - if project
-      - recent_releases, total_count, more_count = recent_releases_with_counts(milestone)
+      - recent_releases, total_count, more_count = recent_releases_with_counts(milestone, current_user)
       .block.releases
         .sidebar-collapsed-icon.has-tooltip{ title: milestone_releases_tooltip_text(milestone), data: { container: 'body', placement: 'left', boundary: 'viewport' } }
           %strong

ee/spec/features/milestones/user_views_milestone_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe "User views milestone" do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:group) { create(:group, :public) }
+  let_it_be(:project) { create(:project, :repository, group: group) }
+  let_it_be(:no_access_project) { create(:project, :repository, group: group) }
+  let_it_be(:milestone) { create(:milestone, group: group) }
+
+  before do
+    stub_licensed_features(group_milestone_project_releases: true)
+
+    project.add_developer(user)
+    sign_in(user)
+  end
+
+  # can't use let_it_be because can't stub group_milestone_project_releases outside of example
+  let!(:release) { create(:release, name: 'PUBLIC RELEASE', project: project, milestones: [milestone])}
+  let!(:no_access_release) do
+    create(:release, name: 'PRIVATE RELEASE', project: no_access_project, milestones: [milestone])
+  end
+
+  it 'only shows releases that user has access to' do
+    visit(group_milestones_path(group))
+
+    expect(page.find('.milestone')).to have_text('PUBLIC RELEASE')
+    expect(page.find('.milestone')).not_to have_text('PRIVATE RELEASE')
+    expect(page.find('.milestone')).to have_text('1 more release')
+  end
+end

ee/spec/helpers/timeboxes_helper_spec.rb

@@ -116,6 +116,46 @@ RSpec.describe TimeboxesHelper do
     end
   end
 
+  describe "#recent_releases_with_counts" do
+    before do
+      stub_licensed_features(group_milestone_project_releases: true)
+    end
+
+    let_it_be(:group) { create(:group, :public) }
+    let_it_be(:milestone) { create(:milestone, group: group) }
+    let_it_be(:public_project) { create(:project, :public, namespace: group) }
+    let_it_be(:private_project) { create(:project, namespace: group) }
+    let_it_be(:user) { create(:user) }
+
+    # can't use let_it_be because can't stub group_milestone_project_releases outside of example
+    let!(:public_release) { create(:release, project: public_project, milestones: [milestone]) }
+    let!(:private_release) { create(:release, project: private_project, milestones: [milestone]) }
+
+    subject { helper.recent_releases_with_counts(milestone, user) }
+
+    it "hides private release" do
+      is_expected.to eq([[public_release], 2, 1])
+    end
+
+    context "when user is nil" do
+      let(:user) { nil }
+
+      it "hides private release" do
+        is_expected.to eq([[public_release], 2, 1])
+      end
+    end
+
+    context "when user has access to the project" do
+      before do
+        private_project.add_developer(user)
+      end
+
+      it "returns both releases" do
+        is_expected.to match([match_array([public_release, private_release]), 2, 0])
+      end
+    end
+  end
+
   def create_resource_state_event(created_at = Date.current)
     create(:resource_state_event, created_at: created_at)
   end

spec/helpers/timeboxes_helper_spec.rb

@@ -38,4 +38,23 @@ RSpec.describe TimeboxesHelper do
       end
     end
   end
+
+  describe "#recent_releases_with_counts" do
+    let_it_be(:milestone) { create(:milestone) }
+    let_it_be(:project) { milestone.project }
+    let_it_be(:user) { create(:user) }
+
+    subject { helper.recent_releases_with_counts(milestone, user) }
+
+    before do
+      project.add_developer(user)
+    end
+
+    it "returns releases with counts" do
+      _old_releases = create_list(:release, 2, project: project, milestones: [milestone])
+      recent_public_releases = create_list(:release, 3, project: project, milestones: [milestone], released_at: '2022-01-01T18:00:00Z')
+
+      is_expected.to match([match_array(recent_public_releases), 5, 2])
+    end
+  end
 end