diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:48:33 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-29 23:48:57 +0000 |
| commit | 05bbfffcd3692a70849628ff36ecb8eeac4902af (patch) | |
| tree | 7613423113981839650e856d4ad1276851ec97bb | |
| parent | ef77d7f75069ca5f71261d80bc9caea59168cba2 (diff) | |
| download | gitlab-ce-05bbfffcd3692a70849628ff36ecb8eeac4902af.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
| -rw-r--r-- | app/finders/notes_finder.rb | 8 | ||||
| -rw-r--r-- | spec/finders/notes_finder_spec.rb | 20 |
2 files changed, 28 insertions, 0 deletions
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb index c542ffbce7e..81017290f12 100644 --- a/app/finders/notes_finder.rb +++ b/app/finders/notes_finder.rb @@ -30,6 +30,7 @@ class NotesFinder notes = init_collection notes = since_fetch_at(notes) notes = notes.with_notes_filter(@params[:notes_filter]) if notes_filter? + notes = redact_internal(notes) sort(notes) end @@ -181,6 +182,13 @@ class NotesFinder notes.order_by(sort) end + + def redact_internal(notes) + subject = @project || target + return notes if Ability.allowed?(@current_user, :read_internal_note, subject) + + notes.not_internal + end end NotesFinder.prepend_mod_with('NotesFinder') diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb index 792a14e3064..1255a882114 100644 --- a/spec/finders/notes_finder_spec.rb +++ b/spec/finders/notes_finder_spec.rb @@ -106,6 +106,26 @@ RSpec.describe NotesFinder do end end + context 'for notes on public issue in public project' do + let_it_be(:public_project) { create(:project, :public) } + let_it_be(:guest_member) { create(:user) } + let_it_be(:reporter_member) { create(:user) } + let_it_be(:guest_project_member) { create(:project_member, :guest, user: guest_member, project: public_project) } + let_it_be(:reporter_project_member) { create(:project_member, :reporter, user: reporter_member, project: public_project) } + let_it_be(:internal_note) { create(:note_on_issue, project: public_project, internal: true) } + let_it_be(:public_note) { create(:note_on_issue, project: public_project) } + + it 'shows all notes when the current_user has reporter access' do + notes = described_class.new(reporter_member, project: public_project).execute + expect(notes).to contain_exactly internal_note, public_note + end + + it 'shows only public notes when the current_user has guest access' do + notes = described_class.new(guest_member, project: public_project).execute + expect(notes).to contain_exactly public_note + end + end + context 'for target type' do let(:project) { create(:project, :repository) } let!(:note1) { create :note_on_issue, project: project } |