Merge remote-tracking branch 'dev/master'

2 files changed, 77 insertions, 5 deletions

diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index 3a8948f8477..3802b5c6848 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -155,7 +155,7 @@ describe API::Groups do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
         expect(json_response).to be_an Array
-        expect(response_groups).to eq(Group.visible_to_user(user1).order(:name).pluck(:name))
+        expect(response_groups).to eq(groups_visible_to_user(user1).order(:name).pluck(:name))
       end
 
       it "sorts in descending order when passed" do
@@ -164,7 +164,7 @@ describe API::Groups do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
         expect(json_response).to be_an Array
-        expect(response_groups).to eq(Group.visible_to_user(user1).order(name: :desc).pluck(:name))
+        expect(response_groups).to eq(groups_visible_to_user(user1).order(name: :desc).pluck(:name))
       end
 
       it "sorts by path in order_by param" do
@@ -173,7 +173,7 @@ describe API::Groups do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
         expect(json_response).to be_an Array
-        expect(response_groups).to eq(Group.visible_to_user(user1).order(:path).pluck(:name))
+        expect(response_groups).to eq(groups_visible_to_user(user1).order(:path).pluck(:name))
       end
 
       it "sorts by id in the order_by param" do
@@ -182,7 +182,7 @@ describe API::Groups do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
         expect(json_response).to be_an Array
-        expect(response_groups).to eq(Group.visible_to_user(user1).order(:id).pluck(:name))
+        expect(response_groups).to eq(groups_visible_to_user(user1).order(:id).pluck(:name))
       end
 
       it "sorts also by descending id with pagination fix" do
@@ -191,7 +191,7 @@ describe API::Groups do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
         expect(json_response).to be_an Array
-        expect(response_groups).to eq(Group.visible_to_user(user1).order(id: :desc).pluck(:name))
+        expect(response_groups).to eq(groups_visible_to_user(user1).order(id: :desc).pluck(:name))
       end
 
       it "sorts identical keys by id for good pagination" do
@@ -211,6 +211,10 @@ describe API::Groups do
         expect(json_response).to be_an Array
         expect(response_groups_ids).to eq(Group.select { |group| group['name'] == 'same-name' }.map { |group| group['id'] }.sort)
       end
+
+      def groups_visible_to_user(user)
+        Group.where(id: user.authorized_groups.select(:id).reorder(nil))
+      end
     end
 
     context 'when using owned in the request' do
diff --git a/spec/requests/api/redacted_events_spec.rb b/spec/requests/api/redacted_events_spec.rb
new file mode 100644
index 00000000000..086dd3df9ba
--- /dev/null
+++ b/spec/requests/api/redacted_events_spec.rb
@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe 'Redacted events in API::Events' do
+  shared_examples 'private events are redacted' do
+    it 'redacts events the user does not have access to' do
+      expect_any_instance_of(Event).to receive(:visible_to_user?).and_call_original
+
+      get api(path), user
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to contain_exactly(
+        'project_id' => nil,
+        'action_name' => nil,
+        'target_id' => nil,
+        'target_iid' => nil,
+        'target_type' => nil,
+        'author_id' => nil,
+        'target_title' => 'Confidential event',
+        'created_at' => nil,
+        'author_username' => nil
+      )
+    end
+  end
+
+  describe '/users/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/users/#{project.owner.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views another user with private events' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views another user with private events' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+
+  describe '/projects/:id/events' do
+    let(:project) { create(:project, :public) }
+    let(:path) { "/projects/#{project.id}/events" }
+    let(:issue) { create(:issue, :confidential, project: project) }
+
+    before do
+      EventCreateService.new.open_issue(issue, issue.author)
+    end
+
+    context 'unauthenticated user views public project' do
+      let(:user) { nil }
+
+      include_examples 'private events are redacted'
+    end
+
+    context 'authenticated user without access views public project' do
+      let(:user) { create(:user) }
+
+      include_examples 'private events are redacted'
+    end
+  end
+end