Merge branch 'reference-access-control' into 'master'

Only allow users to reference groups, projects, issues, MRs, commits they have access to.

Addresses https://dev.gitlab.org/gitlab/gitlabhq/issues/2183.

See merge request !1742

3 files changed, 33 insertions, 29 deletions

diff --git a/app/services/git_push_service.rb b/app/services/git_push_service.rb
index 1f0b29dff5e..31e0167d247 100644
--- a/app/services/git_push_service.rb
+++ b/app/services/git_push_service.rb
@@ -70,7 +70,7 @@ class GitPushService
       # Close issues if these commits were pushed to the project's default branch and the commit message matches the
       # closing regex. Exclude any mentioned Issues from cross-referencing even if the commits are being pushed to
       # a different branch.
-      issues_to_close = commit.closes_issues(project)
+      issues_to_close = commit.closes_issues(project, user)
 
       # Load commit author only if needed.
       # For push with 1k commits it prevents 900+ requests in database
@@ -87,7 +87,7 @@ class GitPushService
       # Create cross-reference notes for any other references. Omit any issues that were referenced in an
       # issue-closing phrase, or have already been mentioned from this commit (probably from this commit
       # being pushed to a different branch).
-      refs = commit.references(project) - issues_to_close
+      refs = commit.references(project, user) - issues_to_close
       refs.reject! { |r| commit.has_mentioned?(r) }
 
       if refs.present?
@@ -127,6 +127,6 @@ class GitPushService
   end
 
   def commit_user(commit)
-    User.find_for_commit(commit.author_email, commit.author_name) || user
+    commit.author || user
   end
 end
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index cc5853144c5..42547f6f481 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -123,32 +123,29 @@ class NotificationService
     return true if note.note.start_with?('Status changed to closed')
     return true if note.cross_reference? && note.system == true
 
-    opts = { noteable_type: note.noteable_type, project_id: note.project_id }
-
     target = note.noteable
 
-    if target.respond_to?(:participants)
-      recipients = target.participants
-    else
-      recipients = note.mentioned_users
-    end
+    recipients = []
 
     if note.commit_id.present?
-      opts.merge!(commit_id: note.commit_id)
       recipients << note.commit_author
-    else
-      opts.merge!(noteable_id: note.noteable_id)
     end
 
     # Get users who left comment in thread
-    recipients = recipients.concat(User.where(id: Note.where(opts).pluck(:author_id)))
+    recipients = recipients.concat(noteable_commenters(note))
 
     # Merge project watchers
     recipients = recipients.concat(project_watchers(note.project)).compact.uniq
 
-    # Reject mention users unless mentioned in comment
-    recipients = reject_mention_users(recipients - note.mentioned_users, note.project)
-    recipients = recipients + note.mentioned_users
+    # Reject users with Mention notification level
+    recipients = reject_mention_users(recipients, note.project)
+
+    # Add explicitly mentioned users
+    if target.respond_to?(:participants)
+      recipients = recipients.concat(target.participants)
+    else
+      recipients = recipients.concat(note.mentioned_users)
+    end
 
     # Reject mutes users
     recipients = reject_muted_users(recipients, note.project)
@@ -195,6 +192,18 @@ class NotificationService
 
   protected
 
+  def noteable_commenters(note)
+    opts = { noteable_type: note.noteable_type, project_id: note.project_id }
+
+    if note.commit_id.present?
+      opts.merge!(commit_id: note.commit_id)
+    else
+      opts.merge!(noteable_id: note.noteable_id)
+    end
+
+    User.where(id: Note.where(opts).pluck(:author_id))
+  end
+
   # Get project users with WATCH notification level
   def project_watchers(project)
     project_members = project_member_notification(project)
diff --git a/app/services/projects/participants_service.rb b/app/services/projects/participants_service.rb
index bcbacbff562..ae6260bcdab 100644
--- a/app/services/projects/participants_service.rb
+++ b/app/services/projects/participants_service.rb
@@ -1,10 +1,5 @@
 module Projects
   class ParticipantsService < BaseService
-    def initialize(project, user)
-      @project  = project
-      @user     = user
-    end
-
     def execute(note_type, note_id)
       participating =
         if note_type && note_id
@@ -12,7 +7,7 @@ module Projects
         else
           []
         end
-      project_members = sorted(@project.team.members)
+      project_members = sorted(project.team.members)
       participants = all_members + groups + project_members + participating
       participants.uniq
     end
@@ -20,11 +15,11 @@ module Projects
     def participants_in(type, id)
       users = case type
               when "Issue"
-                issue = @project.issues.find_by_iid(id)
-                issue ? issue.participants : []
+                issue = project.issues.find_by_iid(id)
+                issue ? issue.participants(current_user) : []
               when "MergeRequest"
-                merge_request = @project.merge_requests.find_by_iid(id)
-                merge_request ? merge_request.participants : []
+                merge_request = project.merge_requests.find_by_iid(id)
+                merge_request ? merge_request.participants(current_user) : []
               when "Commit"
                 author_ids = Note.for_commit_id(id).pluck(:author_id).uniq
                 User.where(id: author_ids)
@@ -41,14 +36,14 @@ module Projects
     end
 
     def groups
-      @user.authorized_groups.sort_by(&:path).map do |group| 
+      current_user.authorized_groups.sort_by(&:path).map do |group| 
         count = group.users.count
         { username: group.path, name: "#{group.name} (#{count})" }
       end
     end
 
     def all_members
-      count = @project.team.members.flatten.count
+      count = project.team.members.flatten.count
       [{ username: "all", name: "All Project and Group Members (#{count})" }]
     end
   end