Only allow user to see participants from groups they have access to.

5 files changed, 12 insertions, 12 deletions

diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb
index 88ac83744df..478134dff68 100644
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -118,16 +118,16 @@ module Issuable
   end
 
   # Return all users participating on the discussion
-  def participants
+  def participants(current_user = self.author)
     users = []
     users << author
     users << assignee if is_assigned?
     mentions = []
-    mentions << self.mentioned_users
+    mentions << self.mentioned_users(current_user)
 
     notes.each do |note|
       users << note.author
-      mentions << note.mentioned_users
+      mentions << note.mentioned_users(current_user)
     end
 
     users.concat(mentions.reduce([], :|)).uniq
@@ -140,7 +140,7 @@ module Issuable
       return subscription.subscribed
     end
 
-    participants.include?(user)
+    participants(user).include?(user)
   end
 
   def toggle_subscription(user)
diff --git a/app/models/concerns/mentionable.rb b/app/models/concerns/mentionable.rb
index 1ab0a28fddd..41bcfa6be21 100644
--- a/app/models/concerns/mentionable.rb
+++ b/app/models/concerns/mentionable.rb
@@ -42,10 +42,10 @@ module Mentionable
     Note.cross_reference_exists?(target, local_reference)
   end
 
-  def mentioned_users
+  def mentioned_users(current_user = nil)
     return [] if mentionable_text.blank?
 
-    ext = Gitlab::ReferenceExtractor.new(self.project)
+    ext = Gitlab::ReferenceExtractor.new(self.project, current_user)
     ext.analyze(text)
     ext.users.uniq
   end
diff --git a/app/services/projects/participants_service.rb b/app/services/projects/participants_service.rb
index bcbacbff562..bcdde0950c5 100644
--- a/app/services/projects/participants_service.rb
+++ b/app/services/projects/participants_service.rb
@@ -21,10 +21,10 @@ module Projects
       users = case type
               when "Issue"
                 issue = @project.issues.find_by_iid(id)
-                issue ? issue.participants : []
+                issue ? issue.participants(user) : []
               when "MergeRequest"
                 merge_request = @project.merge_requests.find_by_iid(id)
-                merge_request ? merge_request.participants : []
+                merge_request ? merge_request.participants(user) : []
               when "Commit"
                 author_ids = Note.for_commit_id(id).pluck(:author_id).uniq
                 User.where(id: author_ids)
diff --git a/app/views/projects/issues/_discussion.html.haml b/app/views/projects/issues/_discussion.html.haml
index 0d3028d50b4..288b48f4583 100644
--- a/app/views/projects/issues/_discussion.html.haml
+++ b/app/views/projects/issues/_discussion.html.haml
@@ -9,8 +9,8 @@
     .votes-holder.pull-right
       #votes= render 'votes/votes_block', votable: @issue
     .participants
-      %span= pluralize(@issue.participants.count, 'participant')
-      - @issue.participants.each do |participant|
+      %span= pluralize(@issue.participants(current_user).count, 'participant')
+      - @issue.participants(current_user).each do |participant|
         = link_to_member(@project, participant, name: false, size: 24)
     .voting_notes#notes= render "projects/notes/notes_with_form"
   %aside.col-md-3
diff --git a/app/views/projects/merge_requests/show/_participants.html.haml b/app/views/projects/merge_requests/show/_participants.html.haml
index 4f34af1737d..9c93fa55fe6 100644
--- a/app/views/projects/merge_requests/show/_participants.html.haml
+++ b/app/views/projects/merge_requests/show/_participants.html.haml
@@ -1,4 +1,4 @@
 .participants
-  %span #{@merge_request.participants.count} participants
-  - @merge_request.participants.each do |participant|
+  %span #{@merge_request.participants(current_user).count} participants
+  - @merge_request.participants(current_user).each do |participant|
     = link_to_member(@project, participant, name: false, size: 24)