Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee

3 files changed, 50 insertions, 7 deletions

diff --git a/app/models/note.rb b/app/models/note.rb
index 3f3fa968393..a84da066968 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -50,7 +50,7 @@ class Note < ApplicationRecord
   attr_accessor :user_visible_reference_count
 
   # Attribute used to store the attributes that have been changed by quick actions.
-  attr_accessor :commands_changes
+  attr_writer :commands_changes
 
   # Attribute used to determine whether keep_around_commits will be skipped for diff notes.
   attr_accessor :skip_keep_around_commits
@@ -616,6 +616,41 @@ class Note < ApplicationRecord
     change_position.line_range["end"] || change_position.line_range["start"]
   end
 
+  def commands_changes
+    @commands_changes&.slice(
+      :due_date,
+      :label_ids,
+      :remove_label_ids,
+      :add_label_ids,
+      :canonical_issue_id,
+      :clone_with_notes,
+      :confidential,
+      :create_merge_request,
+      :add_contacts,
+      :remove_contacts,
+      :assignee_ids,
+      :milestone_id,
+      :time_estimate,
+      :spend_time,
+      :discussion_locked,
+      :merge,
+      :rebase,
+      :wip_event,
+      :target_branch,
+      :reviewer_ids,
+      :health_status,
+      :promote_to_epic,
+      :weight,
+      :emoji_award,
+      :todo_event,
+      :subscription_event,
+      :state_event,
+      :title,
+      :tag_message,
+      :tag_name
+    )
+  end
+
   private
 
   def system_note_viewable_by?(user)
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb
index 34ce0031bd2..cbfedf54ffa 100644
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -1645,4 +1645,14 @@ RSpec.describe Note do
       end
     end
   end
+
+  describe '#commands_changes' do
+    let(:note) { build(:note) }
+
+    it 'only returns allowed keys' do
+      note.commands_changes = { emoji_award: {}, time_estimate: {}, spend_time: {}, target_project: build(:project) }
+
+      expect(note.commands_changes.keys).to contain_exactly(:emoji_award, :time_estimate, :spend_time)
+    end
+  end
 end
diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb
index d4f8b841c96..3c28aed6cac 100644
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -233,11 +233,9 @@ RSpec.describe API::Notes do
     subject { post api(request_path, user), params: { body: request_body } }
 
     context 'a command only note' do
-      let(:assignee) { create(:user) }
-      let(:request_body) { "/assign #{assignee.to_reference}" }
+      let(:request_body) { "/spend 1h" }
 
       before do
-        project.add_developer(assignee)
         project.add_developer(user)
       end
 
@@ -256,7 +254,7 @@ RSpec.describe API::Notes do
       end
 
       it 'applies the commands' do
-        expect { subject }.to change { merge_request.reset.assignees }
+        expect { subject }.to change { merge_request.reset.total_time_spent }
       end
 
       it 'reports the changes' do
@@ -264,9 +262,9 @@ RSpec.describe API::Notes do
 
         expect(json_response).to include(
           'commands_changes' => include(
-            'assignee_ids' => [Integer]
+            'spend_time' => include('duration' => 3600)
           ),
-          'summary' => include("Assigned #{assignee.to_reference}.")
+          'summary' => include('Added 1h spent time.')
         )
       end
     end