Hide confidential events in ruby

We're filtering the events using `Event#visible_to_user?`.

At most we're loading 100 events at once.

Pagination is also dealt with in the finder, but the resulting array
is wrapped in a `Kaminari.paginate_array` so the API's pagination
helpers keep working. We're passing the total count into that
paginatable array, which would include confidential events. But we're
not disclosing anything.

3 files changed, 35 insertions, 1 deletions

diff --git a/spec/finders/concerns/finder_with_cross_project_access_spec.rb b/spec/finders/concerns/finder_with_cross_project_access_spec.rb
index 1ff65a8101b..f29acb521a8 100644
--- a/spec/finders/concerns/finder_with_cross_project_access_spec.rb
+++ b/spec/finders/concerns/finder_with_cross_project_access_spec.rb
@@ -115,4 +115,20 @@ describe FinderWithCrossProjectAccess do
       expect(finder.execute).to include(result)
     end
   end
+
+  context 'when specifying a model' do
+    let(:finder_class) do
+      Class.new do
+        prepend FinderWithCrossProjectAccess
+
+        requires_cross_project_access model: Project
+      end
+    end
+
+    context '.finder_model' do
+      it 'is set correctly' do
+        expect(finder_class.finder_model).to eq(Project)
+      end
+    end
+  end
 end
diff --git a/spec/finders/events_finder_spec.rb b/spec/finders/events_finder_spec.rb
index 62968e83292..3bce46cc4d1 100644
--- a/spec/finders/events_finder_spec.rb
+++ b/spec/finders/events_finder_spec.rb
@@ -14,6 +14,10 @@ describe EventsFinder do
   let!(:closed_issue_event2) { create(:event, project: project1, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 2, 2)) }
   let!(:opened_merge_request_event2) { create(:event, project: project2, author: user, target: opened_merge_request, action: Event::CREATED, created_at: Date.new(2017, 2, 2)) }
 
+  let(:public_project) { create(:project, :public, creator_id: user.id, namespace: user.namespace) }
+  let(:confidential_issue) { create(:closed_issue, confidential: true, project: public_project, author: user) }
+  let!(:confidential_event) { create(:event, project: public_project, author: user, target: confidential_issue, action: Event::CLOSED) }
+
   context 'when targeting a user' do
     it 'returns events between specified dates filtered on action and type' do
       events = described_class.new(source: user, current_user: user, action: 'created', target_type: 'merge_request', after: Date.new(2017, 1, 1), before: Date.new(2017, 2, 1)).execute
@@ -27,6 +31,19 @@ describe EventsFinder do
       expect(events).not_to include(opened_merge_request_event)
     end
 
+    it 'does not include events on confidential issues the user does not have access to' do
+      events = described_class.new(source: user, current_user: other_user).execute
+
+      expect(events).not_to include(confidential_event)
+    end
+
+    it 'includes confidential events user has access to' do
+      public_project.add_developer(other_user)
+      events = described_class.new(source: user, current_user: other_user).execute
+
+      expect(events).to include(confidential_event)
+    end
+
     it 'returns nothing when the current user cannot read cross project' do
       expect(Ability).to receive(:allowed?).with(user, :read_cross_project) { false }
 
diff --git a/spec/finders/user_recent_events_finder_spec.rb b/spec/finders/user_recent_events_finder_spec.rb
index c5fcd68eb4c..5ebceeb7586 100644
--- a/spec/finders/user_recent_events_finder_spec.rb
+++ b/spec/finders/user_recent_events_finder_spec.rb
@@ -29,8 +29,9 @@ describe UserRecentEventsFinder do
     end
 
     it 'does not include the events if the user cannot read cross project' do
-      expect(Ability).to receive(:allowed?).and_call_original
+      allow(Ability).to receive(:allowed?).and_call_original
       expect(Ability).to receive(:allowed?).with(current_user, :read_cross_project) { false }
+
       expect(finder.execute).to be_empty
     end
   end