1 files changed, 24 insertions, 5 deletions

diff --git a/app/finders/labels_finder.rb b/app/finders/labels_finder.rb
index 1427cdaa382..780c0fdb03e 100644
--- a/app/finders/labels_finder.rb
+++ b/app/finders/labels_finder.rb
@@ -1,6 +1,10 @@
 class LabelsFinder < UnionFinder
+  prepend FinderWithCrossProjectAccess
+  include FinderMethods
   include Gitlab::Utils::StrongMemoize
 
+  requires_cross_project_access unless: -> { project? }
+
   def initialize(current_user, params = {})
     @current_user = current_user
     @params = params
@@ -35,7 +39,7 @@ class LabelsFinder < UnionFinder
         end
       end
     elsif only_group_labels?
-      label_ids << Label.where(group_id: group.id)
+      label_ids << Label.where(group_id: group_ids)
     else
       label_ids << Label.where(group_id: projects.group_ids)
       label_ids << Label.where(project_id: projects.select(:id))
@@ -55,13 +59,22 @@ class LabelsFinder < UnionFinder
     items.where(title: title)
   end
 
-  def group
-    strong_memoize(:group) do
-      group = Group.find(params[:group_id])
-      authorized_to_read_labels?(group) && group
+  def group_ids
+    strong_memoize(:group_ids) do
+      groups_user_can_read_labels(groups_to_include).map(&:id)
     end
   end
 
+  def groups_to_include
+    group = Group.find(params[:group_id])
+    groups = [group]
+
+    groups += group.ancestors if params[:include_ancestor_groups].present?
+    groups += group.descendants if params[:include_descendant_groups].present?
+
+    groups
+  end
+
   def group?
     params[:group_id].present?
   end
@@ -116,4 +129,10 @@ class LabelsFinder < UnionFinder
 
     Ability.allowed?(current_user, :read_label, label_parent)
   end
+
+  def groups_user_can_read_labels(groups)
+    DeclarativePolicy.user_scope do
+      groups.select { |group| authorized_to_read_labels?(group) }
+    end
+  end
 end