Restrict branches visible to guests in Issue feed

Notes related to branch creation should not be shown in an issue's
activity feed when the user doesn't have access to :download_code.

1 files changed, 14 insertions, 1 deletions

diff --git a/app/models/note.rb b/app/models/note.rb
index ce60413b8a0..493132e30cc 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -37,6 +37,10 @@ class Note < ApplicationRecord
 
   redact_field :note
 
+  TYPES_RESTRICTED_BY_ABILITY = {
+    branch: :download_code
+  }.freeze
+
   # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
   # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102
   alias_attribute :last_edited_at, :updated_at
@@ -341,7 +345,7 @@ class Note < ApplicationRecord
   end
 
   def visible_for?(user)
-    !cross_reference_not_visible_for?(user)
+    !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
   end
 
   def award_emoji?
@@ -493,6 +497,15 @@ class Note < ApplicationRecord
 
   private
 
+  def system_note_viewable_by?(user)
+    return true unless system_note_metadata
+
+    restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym]
+    return Ability.allowed?(user, restriction, project) if restriction
+
+    true
+  end
+
   def keep_around_commit
     project.repository.keep_around(self.commit_id)
   end