Filter not accessible label events

Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.

1 files changed, 5 insertions, 3 deletions

diff --git a/lib/api/resource_label_events.rb b/lib/api/resource_label_events.rb
index 505a6c68c9c..062115c5103 100644
--- a/lib/api/resource_label_events.rb
+++ b/lib/api/resource_label_events.rb
@@ -24,14 +24,14 @@ module API
           use :pagination
         end
 
-        # rubocop: disable CodeReuse/ActiveRecord
         get ":id/#{eventables_str}/:eventable_id/resource_label_events" do
           eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id])
-          events = eventable.resource_label_events.includes(:label, :user)
+
+          opts = { page: params[:page], per_page: params[:per_page] }
+          events = ResourceLabelEventFinder.new(current_user, eventable, opts).execute
 
           present paginate(events), with: Entities::ResourceLabelEvent
         end
-        # rubocop: enable CodeReuse/ActiveRecord
 
         desc "Get a single #{eventable_type.to_s.downcase} resource label event" do
           success Entities::ResourceLabelEvent
@@ -45,6 +45,8 @@ module API
           eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id])
           event = eventable.resource_label_events.find(params[:event_id])
 
+          not_found!('ResourceLabelEvent') unless can?(current_user, :read_resource_label_event, event)
+
           present event, with: Entities::ResourceLabelEvent
         end
       end