From 2730ae1d869af4ddd48dc312d230c1bcafec19b5 Mon Sep 17 00:00:00 2001
From: Reuben Pereira <reuben453@gmail.com>
Date: Thu, 5 Jul 2018 01:26:09 +0530
Subject: [PATCH] Use a custom ProjectParser#nodes_visible_to_user function so
 that the user permissions for all project references can be checked together

---
 lib/banzai/reference_parser/project_parser.rb | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/lib/banzai/reference_parser/project_parser.rb b/lib/banzai/reference_parser/project_parser.rb
index 54fd3c38a85..787cb671b2d 100644
--- a/lib/banzai/reference_parser/project_parser.rb
+++ b/lib/banzai/reference_parser/project_parser.rb
@@ -7,10 +7,29 @@ module Banzai
         Project
       end
 
+      def nodes_visible_to_user(user, nodes)
+        nodes_projects_hash = lazy { projects_for_nodes(nodes) }
+        project_attr = 'data-project'
+
+        readable_project_ids = projects_readable_by_user(nodes_projects_hash.values, user)
+
+        nodes.select do |node|
+          if node.has_attribute?(project_attr)
+            readable_project_ids.include?(nodes_projects_hash[node].try(:id))
+          else
+            true
+          end
+        end
+      end
+
       private
 
-      def can_read_reference?(user, ref_project, node)
-        can?(user, :read_project, ref_project)
+      # Returns an Array of Project ids that can be read by the given user.
+      #
+      # projects - The projects to reduce down to those readable by the user.
+      # user - The User for which to check the projects
+      def projects_readable_by_user(projects, user)
+        Project.public_or_visible_to_user(user).where("projects.id IN (?)", projects.collect(&:id)).pluck(:id)
       end
     end
   end