lib/api/helpers/notes_helpers.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

# frozen_string_literal: true

module API
  module Helpers
    module NotesHelpers
      include ::RendersNotes

      def self.feature_category_per_noteable_type
        {
          Issue => :team_planning,
          MergeRequest => :code_review_workflow,
          Snippet => :source_code_management
        }
      end

      def update_note(noteable, note_id)
        note = noteable.notes.find(note_id)

        authorize! :admin_note, note

        opts = {
          note: params[:body],
          confidential: params[:confidential]
        }.compact
        parent = noteable_parent(noteable)
        project = parent if parent.is_a?(Project)

        note = ::Notes::UpdateService.new(project, current_user, opts).execute(note)

        if note.valid?
          present note, with: Entities::Note
        else
          bad_request!("Failed to save note #{note.errors.messages}")
        end
      end

      def resolve_note(noteable, note_id, resolved)
        note = noteable.notes.find(note_id)

        authorize! :resolve_note, note

        bad_request!("Note is not resolvable") unless note.resolvable?

        if resolved
          parent = noteable_parent(noteable)
          ::Notes::ResolveService.new(parent, current_user).execute(note)
        else
          note.unresolve!
        end

        present note, with: Entities::Note
      end

      def delete_note(noteable, note_id)
        note = noteable.notes.find(note_id)

        authorize! :admin_note, note

        parent = noteable_parent(noteable)
        project = parent if parent.is_a?(Project)
        destroy_conditionally!(note) do |note|
          ::Notes::DestroyService.new(project, current_user).execute(note)
        end
      end

      def get_note(noteable, note_id)
        note = noteable.notes.with_metadata.find(note_id)
        can_read_note = note.readable_by?(current_user)

        if can_read_note
          present note, with: Entities::Note
        else
          not_found!("Note")
        end
      end

      def noteable_read_ability_name(noteable)
        "read_#{ability_name(noteable)}".to_sym
      end

      def ability_name(noteable)
        if noteable.respond_to?(:to_ability_name)
          noteable.to_ability_name
        else
          noteable.class.to_s.underscore
        end
      end

      def find_noteable(noteable_type, noteable_id)
        params = finder_params_by_noteable_type_and_id(noteable_type, noteable_id)

        noteable = NotesFinder.new(current_user, params).target

        # Checking `read_note` permission here, because API code does not seem to use NoteFinder to find notes,
        # but rather pulls notes directly through notes association, so there is no chance to check read_note
        # permission at service level. With WorkItem model we need to make sure that it has WorkItem::Widgets::Note
        # available in order to access notes.
        noteable = nil unless can_read_notes?(noteable)
        noteable || not_found!(noteable_type)
      end

      def finder_params_by_noteable_type_and_id(type, id)
        target_type = type.name.underscore
        { target_type: target_type }.tap do |h|
          if %w(issue merge_request).include?(target_type)
            h[:target_iid] = id
          else
            h[:target_id] = id
          end

          add_parent_to_finder_params(h, type)
        end
      end

      def add_parent_to_finder_params(finder_params, noteable_type)
        finder_params[:project] = user_project
      end

      def noteable_parent(noteable)
        public_send("user_#{noteable.class.parent_class.to_s.underscore}") # rubocop:disable GitlabSecurity/PublicSend
      end

      def create_note(noteable, opts)
        disable_query_limiting
        authorize!(:create_note, noteable)

        parent = noteable_parent(noteable)

        opts.delete(:created_at) unless current_user.can?(:set_note_created_at, noteable)

        opts[:updated_at] = opts[:created_at] if opts[:created_at]

        project = parent if parent.is_a?(Project)
        ::Notes::CreateService.new(project, current_user, opts).execute
      end

      def resolve_discussion(noteable, discussion_id, resolved)
        discussion = noteable.find_discussion(discussion_id)

        forbidden! unless discussion.can_resolve?(current_user)

        if resolved
          parent = noteable_parent(noteable)
          ::Discussions::ResolveService.new(parent, current_user, one_or_more_discussions: discussion).execute
        else
          ::Discussions::UnresolveService.new(discussion, current_user).execute
        end

        present discussion, with: Entities::Discussion
      end

      def disable_query_limiting
        Gitlab::QueryLimiting.disable!('https://gitlab.com/gitlab-org/gitlab/-/issues/211538')
      end

      private

      def can_read_notes?(noteable)
        Ability.allowed?(current_user, noteable_read_ability_name(noteable), noteable) &&
          Ability.allowed?(current_user, :read_note, noteable)
      end
    end
  end
end

API::Helpers::NotesHelpers.prepend_mod_with('API::Helpers::NotesHelpers')