diff options
| author | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-01-14 13:30:18 +0100 |
|---|---|---|
| committer | Tomasz Maczukin <tomasz@maczukin.pl> | 2016-01-14 13:30:18 +0100 |
| commit | 405b82af230921db7b1510183063b126ef908e46 (patch) | |
| tree | 74fcf1452c271f5ee97c7ad139d4ae91b2c37766 /lib/api/notes.rb | |
| parent | 6a98fb03e708070641f9fce0eaad761e859a5099 (diff) | |
| parent | f981da44ab88012db984e1457170067b345660c1 (diff) | |
| download | gitlab-ce-405b82af230921db7b1510183063b126ef908e46.tar.gz | |
Merge branch 'master' into ci/api-builds
* master: (51 commits)
Fix version
Fix specs and rubocop warnings
Improve the consistency of commit titles, branch names, tag names, issue/MR titles, on their respective project pages
fixed LDAP activation on login to use new ldap_blocked state
Fix Admin/Users view to position buttons without spacing magic
Update to Go 1.5.3
Fix the undefinded variable error in Project's safe_import_url method
Update CHANGELOG [ci skip]
Add some cosmetic changes to variables API documentation [ci skip]
Fix misaligned edit button in milestone collection partial
Update button styles for Milestones#show
Modify builds API documentation style [ci skip]
Modify :ci_variable factory
Ensure the API doesn't return notes that the current user shouldn't see
Add 'Build' prefix to Variables entry name in API docs index
Fix some typos
Add spec for Note#cross_reference_not_visible_for?
Remove (invalid) timestamp formatting
Move `BroadcastMessage#status` to a helper since it's presentational
Update CHANGELOG
...
Conflicts:
doc/api/README.md
lib/api/api.rb
lib/api/entities.rb
Diffstat (limited to 'lib/api/notes.rb')
| -rw-r--r-- | lib/api/notes.rb | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/lib/api/notes.rb b/lib/api/notes.rb index 3efdfe2d46e..174473f5371 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -20,7 +20,19 @@ module API # GET /projects/:id/snippets/:noteable_id/notes get ":id/#{noteables_str}/:#{noteable_id_str}/notes" do @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"]) - present paginate(@noteable.notes), with: Entities::Note + + # We exclude notes that are cross-references and that cannot be viewed + # by the current user. By doing this exclusion at this level and not + # at the DB query level (which we cannot in that case), the current + # page can have less elements than :per_page even if + # there's more than one page. + notes = + # paginate() only works with a relation. This could lead to a + # mismatch between the pagination headers info and the actual notes + # array returned, but this is really a edge-case. + paginate(@noteable.notes). + reject { |n| n.cross_reference_not_visible_for?(current_user) } + present notes, with: Entities::Note end # Get a single +noteable+ note @@ -35,7 +47,12 @@ module API get ":id/#{noteables_str}/:#{noteable_id_str}/notes/:note_id" do @noteable = user_project.send(:"#{noteables_str}").find(params[:"#{noteable_id_str}"]) @note = @noteable.notes.find(params[:note_id]) - present @note, with: Entities::Note + + if @note.cross_reference_not_visible_for?(current_user) + not_found!("Note") + else + present @note, with: Entities::Note + end end # Create a new +noteable+ note |