Commit 1e70541e authored by Lee Tickett's avatar Lee Tickett Committed by Stan Hu

Hide confidential comments from atom feed

parent c265e89b
...@@ -162,6 +162,7 @@ class ProjectsController < Projects::ApplicationController ...@@ -162,6 +162,7 @@ class ProjectsController < Projects::ApplicationController
format.atom do format.atom do
load_events load_events
@events = @events.select { |event| event.visible_to_user?(current_user) }
render layout: 'xml.atom' render layout: 'xml.atom'
end end
end end
......
...@@ -390,16 +390,15 @@ class Event < ApplicationRecord ...@@ -390,16 +390,15 @@ class Event < ApplicationRecord
read_snippet: %i[personal_snippet_note? project_snippet_note?], read_snippet: %i[personal_snippet_note? project_snippet_note?],
read_milestone: %i[milestone?], read_milestone: %i[milestone?],
read_wiki: %i[wiki_page?], read_wiki: %i[wiki_page?],
read_design: %i[design_note? design?] read_design: %i[design_note? design?],
read_note: %i[note?]
} }
end end
private private
def permission_object def permission_object
if note? if target_id.present?
note_target
elsif target_id.present?
target target
else else
project project
......
...@@ -59,6 +59,7 @@ class EventCollection ...@@ -59,6 +59,7 @@ class EventCollection
parents_for_lateral = parents.select(:id).to_sql parents_for_lateral = parents.select(:id).to_sql
lateral = filtered_events lateral = filtered_events
# Applying the limit here (before we filter (permissions) means we may get less than limit)
.limit(limit_for_join_lateral) .limit(limit_for_join_lateral)
.where("events.#{parent_column} = parents_for_lateral.id") # rubocop:disable GitlabSecurity/SqlInjection .where("events.#{parent_column} = parents_for_lateral.id") # rubocop:disable GitlabSecurity/SqlInjection
.to_sql .to_sql
......
...@@ -10,7 +10,6 @@ RSpec.describe Event do ...@@ -10,7 +10,6 @@ RSpec.describe Event do
let_it_be(:reporter) { create(:user) } let_it_be(:reporter) { create(:user) }
let_it_be(:author) { create(:author) } let_it_be(:author) { create(:author) }
let_it_be(:admin) { create(:admin) } let_it_be(:admin) { create(:admin) }
let_it_be(:project) { create(:project) }
let(:users) { [non_member, member, reporter, guest, author, admin] } let(:users) { [non_member, member, reporter, guest, author, admin] }
...@@ -21,10 +20,6 @@ RSpec.describe Event do ...@@ -21,10 +20,6 @@ RSpec.describe Event do
before do before do
stub_licensed_features(epics: true) stub_licensed_features(epics: true)
project.add_developer(member)
project.add_guest(guest)
project.add_reporter(reporter)
if defined?(group) if defined?(group)
group.add_developer(member) group.add_developer(member)
group.add_guest(guest) group.add_guest(guest)
......
...@@ -119,11 +119,6 @@ RSpec.describe ProjectsController do ...@@ -119,11 +119,6 @@ RSpec.describe ProjectsController do
get :activity, params: { namespace_id: project.namespace, id: project, format: :json } get :activity, params: { namespace_id: project.namespace, id: project, format: :json }
expect(json_response['html']).to eq("\n") expect(json_response['html']).to eq("\n")
end
it 'filters out invisible event when calculating the count' do
get :activity, params: { namespace_id: project.namespace, id: project, format: :json }
expect(json_response['count']).to eq(0) expect(json_response['count']).to eq(0)
end end
end end
...@@ -1484,6 +1479,30 @@ RSpec.describe ProjectsController do ...@@ -1484,6 +1479,30 @@ RSpec.describe ProjectsController do
end end
end end
context 'GET show.atom' do
let_it_be(:public_project) { create(:project, :public) }
let_it_be(:event) { create(:event, :commented, project: public_project, target: create(:note, project: public_project)) }
let_it_be(:invisible_event) { create(:event, :commented, project: public_project, target: create(:note, :confidential, project: public_project)) }
it 'filters by calling event.visible_to_user?' do
expect(EventCollection).to receive_message_chain(:new, :to_a).and_return([event, invisible_event])
expect(event).to receive(:visible_to_user?).and_return(true)
expect(invisible_event).to receive(:visible_to_user?).and_return(false)
get :show, format: :atom, params: { id: public_project, namespace_id: public_project.namespace }
expect(response).to render_template('xml.atom')
expect(assigns(:events)).to eq([event])
end
it 'filters by calling event.visible_to_user?' do
get :show, format: :atom, params: { id: public_project, namespace_id: public_project.namespace }
expect(response).to render_template('xml.atom')
expect(assigns(:events)).to eq([event])
end
end
describe 'GET resolve' do describe 'GET resolve' do
shared_examples 'resolvable endpoint' do shared_examples 'resolvable endpoint' do
it 'redirects to the project page' do it 'redirects to the project page' do
......
...@@ -268,6 +268,7 @@ RSpec.describe Event do ...@@ -268,6 +268,7 @@ RSpec.describe Event do
let(:design) { create(:design, issue: issue, project: project) } let(:design) { create(:design, issue: issue, project: project) }
let(:note_on_commit) { create(:note_on_commit, project: project) } let(:note_on_commit) { create(:note_on_commit, project: project) }
let(:note_on_issue) { create(:note_on_issue, noteable: issue, project: project) } let(:note_on_issue) { create(:note_on_issue, noteable: issue, project: project) }
let(:confidential_note) { create(:note, noteable: issue, project: project, confidential: true) }
let(:note_on_confidential_issue) { create(:note_on_issue, noteable: confidential_issue, project: project) } let(:note_on_confidential_issue) { create(:note_on_issue, noteable: confidential_issue, project: project) }
let(:note_on_project_snippet) { create(:note_on_project_snippet, author: author, noteable: project_snippet, project: project) } let(:note_on_project_snippet) { create(:note_on_project_snippet, author: author, noteable: project_snippet, project: project) }
let(:note_on_personal_snippet) { create(:note_on_personal_snippet, author: author, noteable: personal_snippet, project: nil) } let(:note_on_personal_snippet) { create(:note_on_personal_snippet, author: author, noteable: personal_snippet, project: nil) }
...@@ -399,6 +400,16 @@ RSpec.describe Event do ...@@ -399,6 +400,16 @@ RSpec.describe Event do
include_examples 'visible to assignee and author', true include_examples 'visible to assignee and author', true
end end
context 'confidential note' do
let(:target) { confidential_note }
include_examples 'visibility examples' do
let(:visibility) { visible_to_none_except(:member) }
end
include_examples 'visible to author', true
end
context 'private project' do context 'private project' do
let(:project) { private_project } let(:project) { private_project }
let(:target) { note_on_issue } let(:target) { note_on_issue }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment