Merge branch 'security-service-desk-email' into 'master'

Fix service desk email visibility in API

See merge request gitlab-org/security/gitlab!1956

lib/api/entities/project.rb

@@ -55,7 +55,9 @@ module API
       expose(:snippets_enabled) { |project, options| project.feature_available?(:snippets, options[:current_user]) }
       expose(:container_registry_enabled) { |project, options| project.feature_available?(:container_registry, options[:current_user]) }
       expose :service_desk_enabled
-      expose :service_desk_address
+      expose :service_desk_address, if: -> (project, options) do
+        Ability.allowed?(options[:current_user], :admin_issue, project)
+      end
 
       expose(:can_create_merge_request_in) do |project, options|
         Ability.allowed?(options[:current_user], :create_merge_request_in, project)

spec/lib/api/entities/project_spec.rb

@@ -13,6 +13,28 @@ RSpec.describe ::API::Entities::Project do
 
   subject(:json) { entity.as_json }
 
+  describe '.service_desk_address' do
+    before do
+      allow(project).to receive(:service_desk_enabled?).and_return(true)
+    end
+
+    context 'when a user can admin issues' do
+      before do
+        project.add_reporter(current_user)
+      end
+
+      it 'is present' do
+        expect(json[:service_desk_address]).to be_present
+      end
+    end
+
+    context 'when a user can not admin project' do
+      it 'is empty' do
+        expect(json[:service_desk_address]).to be_nil
+      end
+    end
+  end
+
   describe '.shared_with_groups' do
     let(:group) { create(:group, :private) }
 

spec/requests/api/projects_spec.rb

@@ -225,7 +225,7 @@ RSpec.describe API::Projects do
           create(:project, :public, group: create(:group))
         end
 
-        it_behaves_like 'projects response without N + 1 queries', 0 do
+        it_behaves_like 'projects response without N + 1 queries', 1 do
           let(:current_user) { user }
           let(:additional_project) { create(:project, :public, group: create(:group)) }
         end