diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-01-14 10:36:39 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-01-14 10:36:39 +0000 |
| commit | 9f8c38bdac3d6f532b50ecab1d769652ffb5acc3 (patch) | |
| tree | 4ed39c5ad4d840d3852836efafbd1dd6b59ee50b /app | |
| parent | 54734fa6132de6ba2430cba6b279723d1aec8c19 (diff) | |
| parent | e918493f55eb27cdb779f0bc2d8cbbace8b69aa9 (diff) | |
| download | gitlab-ce-9f8c38bdac3d6f532b50ecab1d769652ffb5acc3.tar.gz | |
Merge branch 'fix/private-references' into 'master'
Show referenced MRs & Issues only when the current viewer can access them
This addresses both issues identified in #6066.
## The private MR by user `remy2` with a note referencing to a public issue
---
## The public issue viewed by user `remy` **who doesn't have access to `remy2/private-project`** before the fix
---
## The public issue viewed by user `remy` **who doesn't have access to `remy2/private-project`** with the fix
---
## The public issue viewed by user `remy2` with the fix (no change)
See merge request !2405
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/projects/issues_controller.rb | 2 | ||||
| -rw-r--r-- | app/models/issue.rb | 4 | ||||
| -rw-r--r-- | app/models/note.rb | 4 | ||||
| -rw-r--r-- | app/views/projects/notes/_notes.html.haml | 4 |
4 files changed, 11 insertions, 3 deletions
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index b59b52291fb..f476afb2d92 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController @note = @project.notes.new(noteable: @issue) @notes = @issue.notes.nonawards.with_associations.fresh @noteable = @issue - @merge_requests = @issue.referenced_merge_requests + @merge_requests = @issue.referenced_merge_requests(current_user) respond_with(@issue) end diff --git a/app/models/issue.rb b/app/models/issue.rb index f52e47f3e62..7beba984608 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base reference end - def referenced_merge_requests + def referenced_merge_requests(current_user = nil) Gitlab::ReferenceExtractor.lazily do [self, *notes].flat_map do |note| - note.all_references.merge_requests + note.all_references(current_user).merge_requests end end.sort_by(&:iid) end diff --git a/app/models/note.rb b/app/models/note.rb index 3d5b663c99f..3e1375e5ad6 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -358,6 +358,10 @@ class Note < ActiveRecord::Base !system? && !is_award end + def cross_reference_not_visible_for?(user) + cross_reference? && referenced_mentionables(user).empty? + end + # Checks if note is an award added as a comment # # If note is an award, this method sets is_award to true diff --git a/app/views/projects/notes/_notes.html.haml b/app/views/projects/notes/_notes.html.haml index ca60dd239b2..62db86fb181 100644 --- a/app/views/projects/notes/_notes.html.haml +++ b/app/views/projects/notes/_notes.html.haml @@ -2,10 +2,14 @@ - @discussions.each do |discussion_notes| - note = discussion_notes.first - if note_for_main_target?(note) + - next if note.cross_reference_not_visible_for?(current_user) + = render discussion_notes - else = render 'projects/notes/discussion', discussion_notes: discussion_notes - else - @notes.each do |note| - next unless note.author + - next if note.cross_reference_not_visible_for?(current_user) + = render note |