1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# frozen_string_literal: true
module API
module Helpers
module NotesHelpers
include ::RendersNotes
def self.feature_category_per_noteable_type
{
Issue => :team_planning,
MergeRequest => :code_review,
Snippet => :source_code_management
}
end
def update_note(noteable, note_id)
note = noteable.notes.find(note_id)
authorize! :admin_note, note
opts = {
note: params[:body],
confidential: params[:confidential]
}.compact
parent = noteable_parent(noteable)
project = parent if parent.is_a?(Project)
note = ::Notes::UpdateService.new(project, current_user, opts).execute(note)
if note.valid?
present note, with: Entities::Note
else
bad_request!("Failed to save note #{note.errors.messages}")
end
end
def resolve_note(noteable, note_id, resolved)
note = noteable.notes.find(note_id)
authorize! :resolve_note, note
bad_request!("Note is not resolvable") unless note.resolvable?
if resolved
parent = noteable_parent(noteable)
::Notes::ResolveService.new(parent, current_user).execute(note)
else
note.unresolve!
end
present note, with: Entities::Note
end
def delete_note(noteable, note_id)
note = noteable.notes.find(note_id)
authorize! :admin_note, note
parent = noteable_parent(noteable)
project = parent if parent.is_a?(Project)
destroy_conditionally!(note) do |note|
::Notes::DestroyService.new(project, current_user).execute(note)
end
end
def get_note(noteable, note_id)
note = noteable.notes.with_metadata.find(note_id)
can_read_note = note.readable_by?(current_user)
if can_read_note
present note, with: Entities::Note
else
not_found!("Note")
end
end
def noteable_read_ability_name(noteable)
"read_#{ability_name(noteable)}".to_sym
end
def ability_name(noteable)
if noteable.respond_to?(:to_ability_name)
noteable.to_ability_name
else
noteable.class.to_s.underscore
end
end
def find_noteable(noteable_type, noteable_id)
params = finder_params_by_noteable_type_and_id(noteable_type, noteable_id)
noteable = NotesFinder.new(current_user, params).target
# Checking `read_note` permission here, because API code does not seem to use NoteFinder to find notes,
# but rather pulls notes directly through notes association, so there is no chance to check read_note
# permission at service level. With WorkItem model we need to make sure that it has WorkItem::Widgets::Note
# available in order to access notes.
noteable = nil unless can_read_notes?(noteable)
noteable || not_found!(noteable_type)
end
def finder_params_by_noteable_type_and_id(type, id)
target_type = type.name.underscore
{ target_type: target_type }.tap do |h|
if %w(issue merge_request).include?(target_type)
h[:target_iid] = id
else
h[:target_id] = id
end
add_parent_to_finder_params(h, type)
end
end
def add_parent_to_finder_params(finder_params, noteable_type)
finder_params[:project] = user_project
end
def noteable_parent(noteable)
public_send("user_#{noteable.class.parent_class.to_s.underscore}") # rubocop:disable GitlabSecurity/PublicSend
end
def create_note(noteable, opts)
disable_query_limiting
authorize!(:create_note, noteable)
parent = noteable_parent(noteable)
opts.delete(:created_at) unless current_user.can?(:set_note_created_at, noteable)
opts[:updated_at] = opts[:created_at] if opts[:created_at]
project = parent if parent.is_a?(Project)
::Notes::CreateService.new(project, current_user, opts).execute
end
def resolve_discussion(noteable, discussion_id, resolved)
discussion = noteable.find_discussion(discussion_id)
forbidden! unless discussion.can_resolve?(current_user)
if resolved
parent = noteable_parent(noteable)
::Discussions::ResolveService.new(parent, current_user, one_or_more_discussions: discussion).execute
else
::Discussions::UnresolveService.new(discussion, current_user).execute
end
present discussion, with: Entities::Discussion
end
def disable_query_limiting
Gitlab::QueryLimiting.disable!('https://gitlab.com/gitlab-org/gitlab/-/issues/211538')
end
private
def can_read_notes?(noteable)
Ability.allowed?(current_user, noteable_read_ability_name(noteable), noteable) &&
Ability.allowed?(current_user, :read_note, noteable)
end
end
end
end
API::Helpers::NotesHelpers.prepend_mod_with('API::Helpers::NotesHelpers')
|