Merge branch 'security-epic-notes-api-reveals-historical-info-ce-master' into 'master'

Filter out old system notes for epics in notes api endpoint response See merge request gitlab/gitlabhq!3224
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:24 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-29 21:34:24 +0000
commit: 5a008d136840b5c7fd5688060efa73dd1b5491ab (patch)
tree: 2b969acc6547a564c35e5437b26eb16b241c3dbf /app/models
parent: 34c2b6adf9966ac7ad9a9e699211a6074af13fbc (diff)
parent: 4fea485ec4d8187d0f875c38ee4eee7b537dbeea (diff)
download: gitlab-ce-5a008d136840b5c7fd5688060efa73dd1b5491ab.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/app/models/group.rb b/app/models/group.rb
index 6c868b1d1f0..61a4802a6ee 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -365,6 +365,8 @@ class Group < Namespace
   end
 
   def max_member_access_for_user(user)
+    return GroupMember::NO_ACCESS unless user
+
     return GroupMember::OWNER if user.admin?
 
     members_with_parents
diff --git a/app/models/note.rb b/app/models/note.rb
index 79aad5cbff9..3956ec192b1 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -332,6 +332,10 @@ class Note < ApplicationRecord
     cross_reference? && !all_referenced_mentionables_allowed?(user)
   end
 
+  def visible_for?(user)
+    !cross_reference_not_visible_for?(user)
+  end
+
   def award_emoji?
     can_be_award_emoji? && contains_emoji_only?
   end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:24 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-29 21:34:24 +0000
commit	5a008d136840b5c7fd5688060efa73dd1b5491ab (patch)
tree	2b969acc6547a564c35e5437b26eb16b241c3dbf /app/models
parent	34c2b6adf9966ac7ad9a9e699211a6074af13fbc (diff)
parent	4fea485ec4d8187d0f875c38ee4eee7b537dbeea (diff)
download	gitlab-ce-5a008d136840b5c7fd5688060efa73dd1b5491ab.tar.gz