4 files changed, 80 insertions, 2 deletions
diff --git a/app/controllers/concerns/wiki_actions.rb b/app/controllers/concerns/wiki_actions.rb
index b4b4fd84c37..7eef12fadfe 100644
--- a/app/controllers/concerns/wiki_actions.rb
+++ b/app/controllers/concerns/wiki_actions.rb
@@ -58,7 +58,7 @@ module WikiActions
 
       render 'shared/wikis/show'
     elsif file_blob
-      send_blob(wiki.repository, file_blob, allow_caching: container.public?)
+      send_blob(wiki.repository, file_blob)
     elsif show_create_form?
       # Assign a title to the WikiPage unless `id` is a randomly generated slug from #new
       title = params[:id] unless params[:random_title].present?
diff --git a/app/finders/events_finder.rb b/app/finders/events_finder.rb
index 52612f1f8aa..004fbc4cd22 100644
--- a/app/finders/events_finder.rb
+++ b/app/finders/events_finder.rb
@@ -33,6 +33,8 @@ class EventsFinder
   end
 
   def execute
+    return Event.none if cannot_access_private_profile?
+
     events = get_events
 
     events = by_current_user_access(events)
@@ -103,6 +105,10 @@ class EventsFinder
   end
   # rubocop: enable CodeReuse/ActiveRecord
 
+  def cannot_access_private_profile?
+    source.is_a?(User) && !Ability.allowed?(current_user, :read_user_profile, source)
+  end
+
   def sort(events)
     return events unless params[:sort]
 
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index caf7b554427..a7e0907eb5f 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -518,7 +518,7 @@ class MergeRequest < ApplicationRecord
       participants << merge_user
     end
 
-    participants
+    participants.select { |participant| Ability.allowed?(participant, :read_merge_request, self) }
   end
 
   def first_commit
diff --git a/app/services/snippets/repository_validation_service.rb b/app/services/snippets/repository_validation_service.rb
new file mode 100644
index 00000000000..c8197795383
--- /dev/null
+++ b/app/services/snippets/repository_validation_service.rb
@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Snippets
+  class RepositoryValidationService
+    attr_reader :current_user, :snippet, :repository
+
+    RepositoryValidationError = Class.new(StandardError)
+
+    def initialize(user, snippet)
+      @current_user = user
+      @snippet = snippet
+      @repository = snippet.repository
+    end
+
+    def execute
+      if snippet.nil?
+        return service_response_error('No snippet found.', 404)
+      end
+
+      check_branch_count!
+      check_branch_name_default!
+      check_tag_count!
+      check_file_count!
+      check_size!
+
+      ServiceResponse.success(message: 'Valid snippet repository.')
+    rescue RepositoryValidationError => e
+      ServiceResponse.error(message: "Error: #{e.message}", http_status: 400)
+    end
+
+    private
+
+    def check_branch_count!
+      return if repository.branch_count == 1
+
+      raise RepositoryValidationError, _('Repository has more than one branch.')
+    end
+
+    def check_branch_name_default!
+      branches = repository.branch_names
+
+      return if branches.first == Gitlab::Checks::SnippetCheck::DEFAULT_BRANCH
+
+      raise RepositoryValidationError, _('Repository has an invalid default branch name.')
+    end
+
+    def check_tag_count!
+      return if repository.tag_count == 0
+
+      raise RepositoryValidationError, _('Repository has tags.')
+    end
+
+    def check_file_count!
+      file_count = repository.ls_files(nil).size
+      limit = Snippet.max_file_limit(current_user)
+
+      if file_count > limit
+        raise RepositoryValidationError, _('Repository files count over the limit')
+      end
+
+      if file_count == 0
+        raise RepositoryValidationError, _('Repository must contain at least 1 file.')
+      end
+    end
+
+    def check_size!
+      return unless snippet.repository_size_checker.above_size_limit?
+
+      raise RepositoryValidationError, _('Repository size is above the limit.')
+    end
+  end
+end