Delete unauthorized Todos when project is privateissue_49897

Delete Todos for guest users when project visibility
level is updated to private.

3 files changed, 52 insertions, 20 deletions

diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb
index 5ad30b58511..1dcfb739eb6 100644
--- a/spec/services/projects/update_service_spec.rb
+++ b/spec/services/projects/update_service_spec.rb
@@ -45,6 +45,7 @@ describe Projects::UpdateService do
 
         it 'updates the project to private' do
           expect(TodosDestroyer::ProjectPrivateWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, project.id)
+          expect(TodosDestroyer::ConfidentialIssueWorker).to receive(:perform_in).with(Todo::WAIT_FOR_DELETE, nil, project.id)
 
           result = update_project(project, user, visibility_level: Gitlab::VisibilityLevel::PRIVATE)
 
diff --git a/spec/services/todos/destroy/confidential_issue_service_spec.rb b/spec/services/todos/destroy/confidential_issue_service_spec.rb
index 78b6744b426..9f7e656f7d3 100644
--- a/spec/services/todos/destroy/confidential_issue_service_spec.rb
+++ b/spec/services/todos/destroy/confidential_issue_service_spec.rb
@@ -9,36 +9,60 @@ describe Todos::Destroy::ConfidentialIssueService do
   let(:assignee)       { create(:user) }
   let(:guest)          { create(:user) }
   let(:project_member) { create(:user) }
-  let(:issue)          { create(:issue, project: project, author: author, assignees: [assignee]) }
-
-  let!(:todo_issue_non_member)   { create(:todo, user: user, target: issue, project: project) }
-  let!(:todo_issue_member)       { create(:todo, user: project_member, target: issue, project: project) }
-  let!(:todo_issue_author)       { create(:todo, user: author, target: issue, project: project) }
-  let!(:todo_issue_asignee)      { create(:todo, user: assignee, target: issue, project: project) }
-  let!(:todo_issue_guest)        { create(:todo, user: guest, target: issue, project: project) }
-  let!(:todo_another_non_member) { create(:todo, user: user, project: project) }
+  let(:issue_1)        { create(:issue, :confidential, project: project, author: author, assignees: [assignee]) }
 
   describe '#execute' do
     before do
       project.add_developer(project_member)
       project.add_guest(guest)
+
+      # todos not to be deleted
+      create(:todo, user: project_member, target: issue_1, project: project)
+      create(:todo, user: author, target: issue_1, project: project)
+      create(:todo, user: assignee, target: issue_1, project: project)
+      create(:todo, user: user, project: project)
+      # Todos to be deleted
+      create(:todo, user: guest, target: issue_1, project: project)
+      create(:todo, user: user, target: issue_1, project: project)
     end
 
-    subject { described_class.new(issue.id).execute }
+    subject { described_class.new(issue_id: issue_1.id).execute }
 
-    context 'when provided issue is confidential' do
-      before do
-        issue.update!(confidential: true)
+    context 'when issue_id parameter is present' do
+      context 'when provided issue is confidential' do
+        it 'removes issue todos for users who can not access the confidential issue' do
+          expect { subject }.to change { Todo.count }.from(6).to(4)
+        end
       end
 
-      it 'removes issue todos for users who can not access the confidential issue' do
-        expect { subject }.to change { Todo.count }.from(6).to(4)
+      context 'when provided issue is not confidential' do
+        it 'does not remove any todos' do
+          issue_1.update(confidential: false)
+
+          expect { subject }.not_to change { Todo.count }
+        end
       end
     end
 
-    context 'when provided issue is not confidential' do
-      it 'does not remove any todos' do
-        expect { subject }.not_to change { Todo.count }
+    context 'when project_id parameter is present' do
+      subject { described_class.new(issue_id: nil, project_id: project.id).execute }
+
+      it 'removes issues todos for users that cannot access confidential issues' do
+        issue_2 = create(:issue, :confidential, project: project)
+        issue_3 = create(:issue, :confidential, project: project, author: author, assignees: [assignee])
+        issue_4 = create(:issue, project: project)
+        # Todos not to be deleted
+        create(:todo, user: guest, target: issue_1, project: project)
+        create(:todo, user: assignee, target: issue_1, project: project)
+        create(:todo, user: project_member, target: issue_2, project: project)
+        create(:todo, user: author, target: issue_3, project: project)
+        create(:todo, user: user, target: issue_4, project: project)
+        create(:todo, user: user, project: project)
+        # Todos to be deleted
+        create(:todo, user: user, target: issue_1, project: project)
+        create(:todo, user: guest, target: issue_2, project: project)
+
+        expect { subject }.to change { Todo.count }.from(14).to(10)
       end
     end
   end
diff --git a/spec/workers/todos_destroyer/confidential_issue_worker_spec.rb b/spec/workers/todos_destroyer/confidential_issue_worker_spec.rb
index 18876b71615..0907e2768ba 100644
--- a/spec/workers/todos_destroyer/confidential_issue_worker_spec.rb
+++ b/spec/workers/todos_destroyer/confidential_issue_worker_spec.rb
@@ -3,12 +3,19 @@
 require 'spec_helper'
 
 describe TodosDestroyer::ConfidentialIssueWorker do
-  it "calls the Todos::Destroy::ConfidentialIssueService with the params it was given" do
-    service = double
+  let(:service) { double }
 
-    expect(::Todos::Destroy::ConfidentialIssueService).to receive(:new).with(100).and_return(service)
+  it "calls the Todos::Destroy::ConfidentialIssueService with issue_id parameter" do
+    expect(::Todos::Destroy::ConfidentialIssueService).to receive(:new).with(issue_id: 100, project_id: nil).and_return(service)
     expect(service).to receive(:execute)
 
     described_class.new.perform(100)
   end
+
+  it "calls the Todos::Destroy::ConfidentialIssueService with project_id parameter" do
+    expect(::Todos::Destroy::ConfidentialIssueService).to receive(:new).with(issue_id: nil, project_id: 100).and_return(service)
+    expect(service).to receive(:execute)
+
+    described_class.new.perform(nil, 100)
+  end
 end