Do not show participants invisible to the user

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/347407 **Problem** We expose participants that the current user cannot see because we don't provide the current user as an argument to participants method in GraphQL. When the user is missing, then we use the author of the issuable permissions to fetch participants. **Solution** Remove the feature flag to enable verification for participants Changelog: changed

Do not show participants invisible to the user
Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/347407 **Problem** We expose participants that the current user cannot see because we don't provide the current user as an argument to participants method in GraphQL. When the user is missing, then we use the author of the issuable permissions to fetch participants. **Solution** Remove the feature flag to enable verification for participants Changelog: changed
d07f416f · Vasilii Iakliushin · d2080bb6 · d07f416f · d2080bb6 · d07f416f
Commit d07f416f authored Dec 17, 2021 by Vasilii Iakliushin
3 changed files
--- a/app/models/concerns/participable.rb
+++ b/app/models/concerns/participable.rb
@@ -64,8 +64,6 @@ module Participable
  #
  # Returns an Array of User instances.
  def visible_participants(user)
-    return participants(user) unless Feature.enabled?(:verify_participants_access, project, default_enabled: :yaml)
-
    filter_by_ability(raw_participants(user, verify_access: true))
  end


--- a/config/feature_flags/development/verify_participants_access.yml
+++ b/config/feature_flags/development/verify_participants_access.yml
---
-name: verify_participants_access
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74906
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/347407
-milestone: '14.6'
-type: development
-group: group::source code
-default_enabled: false
--- a/spec/models/concerns/participable_spec.rb
+++ b/spec/models/concerns/participable_spec.rb
@@ -138,7 +138,7 @@ RSpec.describe Participable do
      allow(instance).to receive_message_chain(:model_name, :element) { 'class' }
      expect(instance).to receive(:foo).and_return(user2)
      expect(instance).to receive(:bar).and_return(user3)
-      expect(instance).to receive(:project).thrice.and_return(project)
+      expect(instance).to receive(:project).twice.and_return(project)

      participants = instance.visible_participants(user1)

@@ -159,31 +159,10 @@ RSpec.describe Participable do

        allow(instance).to receive_message_chain(:model_name, :element) { 'class' }
        allow(instance).to receive(:bar).and_return(user2)
-        expect(instance).to receive(:project).thrice.and_return(project)
+        expect(instance).to receive(:project).twice.and_return(project)

        expect(instance.visible_participants(user1)).to be_empty
      end
-
-      context 'when feature flag is disabled' do
-        before do
-          stub_feature_flags(verify_participants_access: false)
-        end
-
-        it 'returns unavailable participants' do
-          model.participant(:bar)
-
-          instance = model.new
-          user1 = build(:user)
-          user2 = build(:user)
-          project = build(:project, :public)
-
-          allow(instance).to receive_message_chain(:model_name, :element) { 'class' }
-          allow(instance).to receive(:bar).and_return(user2)
-          expect(instance).to receive(:project).thrice.and_return(project)
-
-          expect(instance.visible_participants(user1)).to match_array([user2])
-        end
-      end
    end
  end