Show referenced MR in issues only when the current viewer can access it

5 files changed, 100 insertions, 3 deletions

diff --git a/CHANGELOG b/CHANGELOG
index ab34661ce05..9f3dac10aad 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -38,6 +38,7 @@ v 8.4.0 (unreleased)
   - Ajax filter by message for commits page
   - API: Add support for deleting a tag via the API (Robert Schilling)
   - Allow subsequent validations in CI Linter
+  - Show referenced MR in issues only when the current viewer can access it
 
 v 8.3.3
   - Preserve CE behavior with JIRA integration by only calling API if URL is set
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb
index b59b52291fb..f476afb2d92 100644
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController
     @note = @project.notes.new(noteable: @issue)
     @notes = @issue.notes.nonawards.with_associations.fresh
     @noteable = @issue
-    @merge_requests = @issue.referenced_merge_requests
+    @merge_requests = @issue.referenced_merge_requests(current_user)
 
     respond_with(@issue)
   end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index f52e47f3e62..7beba984608 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base
     reference
   end
 
-  def referenced_merge_requests
+  def referenced_merge_requests(current_user = nil)
     Gitlab::ReferenceExtractor.lazily do
       [self, *notes].flat_map do |note|
-        note.all_references.merge_requests
+        note.all_references(current_user).merge_requests
       end
     end.sort_by(&:iid)
   end
diff --git a/features/project/merge_requests/notes.feature b/features/project/merge_requests/notes.feature
new file mode 100644
index 00000000000..cf337a8fe28
--- /dev/null
+++ b/features/project/merge_requests/notes.feature
@@ -0,0 +1,25 @@
+@project_merge_requests
+Feature: Project Merge Requests Notes
+  Background:
+    Given I sign in as "Mary Jane"
+    And I own public project "Public Shop"
+    And project "Public Shop" has "Public Issue 01" open issue
+    And I logout
+    And I sign in as "John Doe"
+    And I own private project "Private Library"
+    And project "Private Library" has "Private MR 01" open merge request
+    And I visit merge request page "Private MR 01"
+    And I leave a comment with link to issue "Public Issue 01"
+    And I logout
+
+  @javascript
+  Scenario: Viewing the public issue as a lambda user
+    Given I sign in as "Mary Jane"
+    When I visit issue page "Public Issue 01"
+    Then I should not see any related merge requests
+
+  @javascript
+  Scenario: Viewing the public issue as "John Doe"
+    Given I sign in as "John Doe"
+    When I visit issue page "Public Issue 01"
+    Then I should see the "Private MR 01" related merge request
diff --git a/features/steps/project/merge_requests/notes.rb b/features/steps/project/merge_requests/notes.rb
new file mode 100644
index 00000000000..2c3f70cdc6e
--- /dev/null
+++ b/features/steps/project/merge_requests/notes.rb
@@ -0,0 +1,71 @@
+class Spinach::Features::ProjectMergeRequestsNotes < Spinach::FeatureSteps
+  include SharedAuthentication
+  include SharedUser
+
+  step 'I own public project "Public Shop"' do
+    project = create :project, :public, name: 'Public Shop', namespace: current_user.namespace
+    project.team << [current_user, :master]
+  end
+
+  step 'project "Public Shop" has "Public Issue 01" open issue' do
+    project = Project.find_by(name: 'Public Shop')
+
+    create(:issue,
+           title: 'Public Issue 01',
+           project: project,
+           author: current_user,
+           description: '# Description header'
+          )
+  end
+
+  step 'I own private project "Private Library"' do
+    project = create :project, name: 'Private Library', namespace: current_user.namespace
+    project.team << [current_user, :master]
+  end
+
+  step 'project "Private Library" has "Private MR 01" open merge request' do
+    project = Project.find_by!(name: 'Private Library')
+
+    create(:merge_request,
+           title: 'Private MR 01',
+           source_project: project,
+           target_project: project,
+           source_branch: 'fix',
+           target_branch: 'master',
+           author: current_user,
+           description: '# Description header'
+          )
+  end
+
+  step 'I visit merge request page "Private MR 01"' do
+    mr = MergeRequest.find_by(title: "Private MR 01")
+    visit namespace_project_merge_request_path(mr.target_project.namespace, mr.target_project, mr)
+  end
+
+  step 'I leave a comment with link to issue "Public Issue 01"' do
+    issue = Issue.find_by!(title: 'Public Issue 01')
+
+    page.within(".js-main-target-form") do
+      fill_in "note[note]", with: namespace_project_issue_url(issue.project.namespace, issue.project, issue)
+      click_button "Add Comment"
+    end
+  end
+
+  step 'I visit issue page "Public Issue 01"' do
+    issue = Issue.find_by(title: "Public Issue 01")
+    visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
+  end
+
+  step 'I should not see any related merge requests' do
+    page.within '.issue-details' do
+      expect(page).not_to have_content('.merge-requests')
+    end
+  end
+
+  step 'I should see the "Private MR 01" related merge request' do
+    page.within '.merge-requests' do
+      expect(page).to have_content("1 Related Merge Request")
+      expect(page).to have_content("Private MR 01")
+    end
+  end
+end