Render special references for release entities

Provide current user when generating release entity json representation
so that we can render special references if they have enough access.

Related to https://gitlab.com/gitlab-org/gitlab/issues/32882.

changelogs/unreleased/32882-render-special-references-for-releases.yml

+---
+title: Render special references for releases
+merge_request: 26554
+author:
+type: fixed

lib/api/entities/release.rb

@@ -11,7 +11,7 @@ module API
       expose :tag, as: :tag_name, if: ->(_, _) { can_download_code? }
       expose :description
       expose :description_html do |entity|
-        MarkupHelper.markdown_field(entity, :description)
+        MarkupHelper.markdown_field(entity, :description, current_user: options[:current_user])
       end
       expose :created_at
       expose :released_at

spec/lib/api/entities/release_spec.rb

@@ -4,13 +4,14 @@ require 'spec_helper'
 
 describe API::Entities::Release do
   let_it_be(:project) { create(:project) }
-  let_it_be(:release) { create(:release, :with_evidence, project: project) }
-  let(:user) { create(:user) }
+  let_it_be(:user) { create(:user) }
   let(:entity) { described_class.new(release, current_user: user) }
 
-  subject { entity.as_json }
-
   describe 'evidence' do
+    let(:release) { create(:release, :with_evidence, project: project) }
+
+    subject { entity.as_json }
+
     context 'when the current user can download code' do
       it 'exposes the evidence sha and the json path' do
         allow(Ability).to receive(:allowed?).and_call_original
@@ -37,4 +38,27 @@ describe API::Entities::Release do
       end
     end
   end
+
+  describe 'description_html' do
+    let(:issue) { create(:issue, :confidential, project: project) }
+    let(:issue_path) { Gitlab::Routing.url_helpers.project_issue_path(project, issue) }
+    let(:issue_title) { 'title="%s"' % issue.title }
+    let(:release) { create(:release, project: project, description: "Now shipping #{issue.to_reference}") }
+
+    subject(:description_html) { entity.as_json[:description_html] }
+
+    it 'renders special references if current user has access' do
+      project.add_reporter(user)
+
+      expect(description_html).to include(issue_path)
+      expect(description_html).to include(issue_title)
+    end
+
+    it 'does not render special references if current user has no access' do
+      project.add_guest(user)
+
+      expect(description_html).not_to include(issue_path)
+      expect(description_html).not_to include(issue_title)
+    end
+  end
 end

spec/requests/api/releases_spec.rb

@@ -233,31 +233,6 @@ describe API::Releases do
           .to match_array(release.sources.map(&:url))
       end
 
-      context "when release description contains confidential issue's link" do
-        let(:confidential_issue) do
-          create(:issue,
-                 :confidential,
-                 project: project,
-                 title: 'A vulnerability')
-        end
-
-        let!(:release) do
-          create(:release,
-                 project: project,
-                 tag: 'v0.1',
-                 sha: commit.id,
-                 author: maintainer,
-                 description: "This is confidential #{confidential_issue.to_reference}")
-        end
-
-        it "does not expose confidential issue's title" do
-          get api("/projects/#{project.id}/releases/v0.1", maintainer)
-
-          expect(json_response['description_html']).to include(confidential_issue.to_reference)
-          expect(json_response['description_html']).not_to include('A vulnerability')
-        end
-      end
-
       context 'when release has link asset' do
         let!(:link) do
           create(:release_link,