Merge branch 'add-safe-navigation-operator-ee' into 'master'

Check current user is nil when serialising

See merge request gitlab-org/gitlab-ee!16346

ee/app/serializers/vulnerabilities/feedback_entity.rb

@@ -57,14 +57,18 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity
   end
 
   def can_destroy_feedback?
-    can?(request.current_user, :destroy_vulnerability_feedback, feedback)
+    can?(current_user, :destroy_vulnerability_feedback, feedback)
   end
 
   def can_read_issue?
-    feedback.issue.present? && can?(request.current_user, :read_issue, feedback.issue)
+    feedback.issue.present? && can?(current_user, :read_issue, feedback.issue)
   end
 
   def can_read_merge_request?
-    feedback.merge_request.present? && can?(request.current_user, :read_merge_request, feedback.merge_request)
+    feedback.merge_request.present? && can?(current_user, :read_merge_request, feedback.merge_request)
+  end
+
+  def current_user
+    return request.current_user if request.respond_to?(:current_user)
   end
 end

ee/spec/serializers/vulnerabilities/feedback_entity_spec.rb

@@ -44,6 +44,23 @@ describe Vulnerabilities::FeedbackEntity do
         end
       end
 
+      context 'when there is no current user' do
+        let(:entity) { described_class.represent(feedback, request: request) }
+
+        before do
+          allow(request).to receive(:current_user).and_return(nil)
+          allow(feedback).to receive(:author).and_return(nil)
+        end
+
+        subject { entity.as_json }
+
+        it 'does not include fields related to current user' do
+          is_expected.not_to include(:issue_url)
+          is_expected.not_to include(:destroy_vulnerability_feedback_dismissal_path)
+          is_expected.not_to include(:merge_request_path)
+        end
+      end
+
       context 'when issue is not present' do
         let(:feedback) { build(:vulnerability_feedback, feedback_type: :issue, project: project, issue: nil) }