Don't expose epic for users without permissions

- epic is not required field anymore

ee/app/serializers/ee/issue_sidebar_extras_entity.rb

@@ -5,13 +5,17 @@ module EE
     extend ActiveSupport::Concern
 
     prepended do
-      expose :epic do
+      expose :epic, if: -> (issuable, _) { cen_read_epic?(issuable) } do
         expose :epic, merge: true, using: EpicBaseEntity
         expose :epic_issue_id do |issuable|
           issuable.epic_issue&.id
         end
       end
       expose :weight
+
+      def cen_read_epic?(issuable)
+        can?(request.current_user, :read_epic, issuable.epic)
+      end
     end
   end
 end

ee/changelogs/unreleased/security-conf-epic-visibility.yml

+---
+title: Fix displaying epics visibility in issue sidebar
+merge_request:
+author:
+type: security

ee/spec/fixtures/api/schemas/entities/issue_sidebar_extras.json

@@ -15,7 +15,6 @@
         "weight": { "type": ["integer", "null"] }
       },
       "required": [
-        "epic",
         "weight"
       ]
     }

ee/spec/serializers/ee/issue_sidebar_extras_entity_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe IssueSidebarExtrasEntity do
+  let_it_be(:group) { create(:group) }
+  let_it_be(:project) { create(:project, group: group) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:issue, reload: true) { create(:issue, :confidential, project: project) }
+  let(:request) { double('request', current_user: user) }
+
+  subject { described_class.new(issue, request: request).as_json }
+
+  context 'exposing epic' do
+    before do
+      stub_licensed_features(epics: true)
+    end
+
+    context 'when epic is confidential' do
+      let_it_be(:confidential_epic) { create(:epic, :confidential, group: group) }
+      let_it_be(:epic_issue) { create(:epic_issue, issue: issue, epic: confidential_epic) }
+
+      it 'returns nil for a user who is a project member' do
+        project.add_developer(user)
+
+        expect(subject[:epic]).to be_nil
+      end
+
+      it 'exposes the epic for a user who is a group member' do
+        group.add_developer(user)
+
+        expect(subject[:epic].keys).to match_array([:id, :iid, :title, :url, :group_id, :epic_issue_id])
+      end
+    end
+
+    context 'when epic is not confidential' do
+      let_it_be(:epic) { create(:epic, group: group) }
+      let_it_be(:epic_issue) { create(:epic_issue, issue: issue, epic: epic) }
+
+      it 'exposes the epic for a project member' do
+        project.add_developer(user)
+
+        expect(subject[:epic].keys).to match_array([:id, :iid, :title, :url, :group_id, :epic_issue_id])
+      end
+
+      it 'exposes the epic for a user who is a group member' do
+        group.add_developer(user)
+
+        expect(subject[:epic].keys).to match_array([:id, :iid, :title, :url, :group_id, :epic_issue_id])
+      end
+    end
+  end
+end

ee/spec/serializers/issue_serializer_spec.rb

@@ -12,8 +12,13 @@ RSpec.describe IssueSerializer do
   end
 
   before do
-    epic = create(:epic, :use_fixed_dates)
-    create(:epic_issue, issue: resource, epic: epic)
+    stub_licensed_features(epics: true)
+
+    create(:epic, :use_fixed_dates).tap do |epic|
+      create(:epic_issue, issue: resource, epic: epic)
+    end
+
+    resource.reload
   end
 
   context 'sidebar issue serialization' do