Filter not accessible label events

Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.

1 files changed, 41 insertions, 0 deletions

diff --git a/app/finders/resource_label_event_finder.rb b/app/finders/resource_label_event_finder.rb
new file mode 100644
index 00000000000..9aafd6e91b9
--- /dev/null
+++ b/app/finders/resource_label_event_finder.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class ResourceLabelEventFinder
+  include FinderMethods
+
+  MAX_PER_PAGE = 100
+
+  attr_reader :params, :current_user, :eventable
+
+  def initialize(current_user, eventable, params = {})
+    @current_user = current_user
+    @eventable = eventable
+    @params = params
+  end
+
+  def execute
+    events = eventable.resource_label_events.inc_relations
+    events = events.page(page).per(per_page)
+    events = visible_to_user(events)
+
+    Kaminari.paginate_array(events)
+  end
+
+  private
+
+  def visible_to_user(events)
+    ResourceLabelEvent.preload_label_subjects(events)
+
+    events.select do |event|
+      Ability.allowed?(current_user, :read_label, event)
+    end
+  end
+
+  def per_page
+    [params[:per_page], MAX_PER_PAGE].compact.min
+  end
+
+  def page
+    params[:page] || 1
+  end
+end