Commit 0dcd256d authored by Kerri Miller's avatar Kerri Miller

Enable visibility filter on Epics menu pill count

:skip_visibility_check, when true, will not account for the user's
access level when attempting to calculate a number for display in the
sidebar (the "pill count"). This number is strong_memoize'd and cached,
so this change should have negligible performance impact.

Changelog: security
EE: true
parent 44cdc72e
......@@ -11,7 +11,7 @@ module Groups
def relation_for_count
EpicsFinder
.new(user, group_id: group.id, state: 'opened')
.execute(skip_visibility_check: true)
.execute(skip_visibility_check: false)
end
def issuable_key
......
......@@ -10,6 +10,7 @@ RSpec.describe Groups::EpicsCountService, :use_clean_rails_memory_store_caching
subject { described_class.new(group, user) }
describe '#relation_for_count' do
context "when the user is a reporter" do
before do
group.add_reporter(user)
allow(EpicsFinder).to receive(:new).and_call_original
......@@ -24,5 +25,20 @@ RSpec.describe Groups::EpicsCountService, :use_clean_rails_memory_store_caching
end
end
context "when there are confidential epics" do
let_it_be(:epic) { create(:epic, :confidential, group: group) }
context "when the user has view access to the group and its epics" do
it "filters the count by visibility" do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user, :read_epic, group).and_return(true)
expect(group.epics.count).to eq(2)
expect(subject.count).to eq(1)
end
end
end
end
it_behaves_like 'a counter caching service with threshold'
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment