Fix the group and project activity pages

2 files changed, 36 insertions, 1 deletions

diff --git a/app/views/events/_event.html.haml b/app/views/events/_event.html.haml
index 5623f0f590a..78a1d1a0553 100644
--- a/app/views/events/_event.html.haml
+++ b/app/views/events/_event.html.haml
@@ -11,5 +11,5 @@
       = render "events/event/note", event: event
     - else
       = render "events/event/common", event: event
-- elsif @user.include_private_contributions?
+- elsif @user&.include_private_contributions?
   = render "events/event/private", event: event
diff --git a/spec/features/projects/activity/user_sees_private_activity_spec.rb b/spec/features/projects/activity/user_sees_private_activity_spec.rb
new file mode 100644
index 00000000000..d7dc0a6712a
--- /dev/null
+++ b/spec/features/projects/activity/user_sees_private_activity_spec.rb
@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe 'Project > Activity > User sees private activity', :js do
+  let(:project) { create(:project, :public) }
+  let(:author) { create(:user) }
+  let(:user) { create(:user) }
+  let(:issue) { create(:issue, :confidential, project: project, author: author) }
+  let(:message) { "#{author.name} opened issue #{issue.to_reference}" }
+
+  before do
+    project.add_developer(author)
+
+    create(:event, :created, project: project, target: issue, author: author)
+  end
+
+  it 'shows the activity to a logged-in user with permissions' do
+    sign_in(author)
+    visit activity_project_path(project)
+
+    expect(page).to have_content(message)
+  end
+
+  it 'hides the activity from a logged-in user without permissions' do
+    sign_in(user)
+    visit activity_project_path(project)
+
+    expect(page).not_to have_content(message)
+  end
+
+  it 'hides the activity from an anonymous user' do
+    visit activity_project_path(project)
+
+    expect(page).not_to have_content(message)
+  end
+end