summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app/finders/notes_finder.rb8
-rw-r--r--spec/finders/notes_finder_spec.rb20
2 files changed, 28 insertions, 0 deletions
diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb
index c542ffbce7e..81017290f12 100644
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -30,6 +30,7 @@ class NotesFinder
notes = init_collection
notes = since_fetch_at(notes)
notes = notes.with_notes_filter(@params[:notes_filter]) if notes_filter?
+ notes = redact_internal(notes)
sort(notes)
end
@@ -181,6 +182,13 @@ class NotesFinder
notes.order_by(sort)
end
+
+ def redact_internal(notes)
+ subject = @project || target
+ return notes if Ability.allowed?(@current_user, :read_internal_note, subject)
+
+ notes.not_internal
+ end
end
NotesFinder.prepend_mod_with('NotesFinder')
diff --git a/spec/finders/notes_finder_spec.rb b/spec/finders/notes_finder_spec.rb
index 792a14e3064..1255a882114 100644
--- a/spec/finders/notes_finder_spec.rb
+++ b/spec/finders/notes_finder_spec.rb
@@ -106,6 +106,26 @@ RSpec.describe NotesFinder do
end
end
+ context 'for notes on public issue in public project' do
+ let_it_be(:public_project) { create(:project, :public) }
+ let_it_be(:guest_member) { create(:user) }
+ let_it_be(:reporter_member) { create(:user) }
+ let_it_be(:guest_project_member) { create(:project_member, :guest, user: guest_member, project: public_project) }
+ let_it_be(:reporter_project_member) { create(:project_member, :reporter, user: reporter_member, project: public_project) }
+ let_it_be(:internal_note) { create(:note_on_issue, project: public_project, internal: true) }
+ let_it_be(:public_note) { create(:note_on_issue, project: public_project) }
+
+ it 'shows all notes when the current_user has reporter access' do
+ notes = described_class.new(reporter_member, project: public_project).execute
+ expect(notes).to contain_exactly internal_note, public_note
+ end
+
+ it 'shows only public notes when the current_user has guest access' do
+ notes = described_class.new(guest_member, project: public_project).execute
+ expect(notes).to contain_exactly public_note
+ end
+ end
+
context 'for target type' do
let(:project) { create(:project, :repository) }
let!(:note1) { create :note_on_issue, project: project }
View Lorry Controller Status