Port `read_cross_project` ability from EE

author: Bob Van Landuyt <bob@vanlanduyt.co> 2017-12-11 15:21:06 +0100
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-02-22 17:11:36 +0100
commit: 148816cd67a314f17e79c107270cc708501bdd39 (patch)
tree: eba07d109322392bb5862b715adc066a0ebbdf95 /app/policies/issuable_policy.rb
parent: b5306075c21f5546d1447052558da6227629c15e (diff)
download: gitlab-ce-148816cd67a314f17e79c107270cc708501bdd39.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index f0aa16d2ecf..3f6d7d04667 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -3,6 +3,19 @@ class IssuablePolicy < BasePolicy
 
   condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
 
+  # We aren't checking `:read_issue` or `:read_merge_request` in this case
+  # because it could be possible for a user to see an issuable-iid
+  # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be allowed
+  # to read the actual issue after a more expensive `:read_issue` check.
+  #
+  # `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee.
+  condition(:visible_to_user, score: 4) do
+    Project.where(id: @subject.project)
+      .public_or_visible_to_user(@user)
+      .with_feature_available_for_user(@subject, @user)
+      .any?
+  end
+
   condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
 
   desc "User is the assignee or author"
author	Bob Van Landuyt <bob@vanlanduyt.co>	2017-12-11 15:21:06 +0100
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-02-22 17:11:36 +0100
commit	148816cd67a314f17e79c107270cc708501bdd39 (patch)
tree	eba07d109322392bb5862b715adc066a0ebbdf95 /app/policies/issuable_policy.rb
parent	b5306075c21f5546d1447052558da6227629c15e (diff)
download	gitlab-ce-148816cd67a314f17e79c107270cc708501bdd39.tar.gz