Use a custom ProjectParser#nodes_visible_to_user function so that the user permissions for all project references can be checked together

1 files changed, 21 insertions, 2 deletions

diff --git a/lib/banzai/reference_parser/project_parser.rb b/lib/banzai/reference_parser/project_parser.rb
index 54fd3c38a85..787cb671b2d 100644
--- a/lib/banzai/reference_parser/project_parser.rb
+++ b/lib/banzai/reference_parser/project_parser.rb
@@ -7,10 +7,29 @@ module Banzai
         Project
       end
 
+      def nodes_visible_to_user(user, nodes)
+        nodes_projects_hash = lazy { projects_for_nodes(nodes) }
+        project_attr = 'data-project'
+
+        readable_project_ids = projects_readable_by_user(nodes_projects_hash.values, user)
+
+        nodes.select do |node|
+          if node.has_attribute?(project_attr)
+            readable_project_ids.include?(nodes_projects_hash[node].try(:id))
+          else
+            true
+          end
+        end
+      end
+
       private
 
-      def can_read_reference?(user, ref_project, node)
-        can?(user, :read_project, ref_project)
+      # Returns an Array of Project ids that can be read by the given user.
+      #
+      # projects - The projects to reduce down to those readable by the user.
+      # user - The User for which to check the projects
+      def projects_readable_by_user(projects, user)
+        Project.public_or_visible_to_user(user).where("projects.id IN (?)", projects.collect(&:id)).pluck(:id)
       end
     end
   end