Show referenced MRs & Issues only when the current viewer can access them

2016-01-12 18:10:06 +01:00 · 2016-01-12 18:10:06 +01:00 · 9d7f88c122
commit 9d7f88c122
parent c4511a1234
8 changed files with 155 additions and 3 deletions
--- a/1
+++ b/1
@ -38,6 +38,7 @@ v 8.4.0 (unreleased)
  - Ajax filter by message for commits page
  - API: Add support for deleting a tag via the API (Robert Schilling)
  - Allow subsequent validations in CI Linter
+  - Show referenced MRs & Issues only when the current viewer can access them

 v 8.3.3
  - Preserve CE behavior with JIRA integration by only calling API if URL is set
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@ -61,7 +61,7 @@ class Projects::IssuesController < Projects::ApplicationController
    @note = @project.notes.new(noteable: @issue)
    @notes = @issue.notes.nonawards.with_associations.fresh
    @noteable = @issue
-    @merge_requests = @issue.referenced_merge_requests
+    @merge_requests = @issue.referenced_merge_requests(current_user)

    respond_with(@issue)
  end
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -85,10 +85,10 @@ class Issue < ActiveRecord::Base
    reference
  end

-  def referenced_merge_requests
+  def referenced_merge_requests(current_user = nil)
    Gitlab::ReferenceExtractor.lazily do
      [self, *notes].flat_map do |note|
-        note.all_references.merge_requests
+        note.all_references(current_user).merge_requests
      end
    end.sort_by(&:iid)
  end
--- a/app/views/projects/notes/_notes.html.haml
+++ b/app/views/projects/notes/_notes.html.haml
@ -8,4 +8,5 @@
 - else
  - @notes.each do |note|
    - next unless note.author
+    - next if note.cross_reference? && note.referenced_mentionables(current_user).empty?
    = render note
--- a/features/project/issues/references.feature
+++ b/features/project/issues/references.feature
@ -0,0 +1,31 @@
+@project_issues
+Feature: Project Issues References
+  Background:
+    Given I sign in as "John Doe"
+    And "John Doe" owns public project "Community"
+    And project "Community" has "Public Issue 01" open issue
+    And I logout
+    And I sign in as "Mary Jane"
+    And "Mary Jane" owns private project "Private Library"
+    And project "Private Library" has "Fix NS-01" open merge request
+    And project "Private Library" has "Private Issue 01" open issue
+    And I visit merge request page "Fix NS-01"
+    And I leave a comment referencing issue "Public Issue 01" from "Fix NS-01" merge request
+    And I visit issue page "Private Issue 01"
+    And I leave a comment referencing issue "Public Issue 01" from "Private Issue 01" issue
+    And I logout
+
+  @javascript
+  Scenario: Viewing the public issue as a "John Doe"
+    Given I sign in as "John Doe"
+    When I visit issue page "Public Issue 01"
+    Then I should not see any related merge requests
+    And I should see no notes at all
+
+  @javascript
+  Scenario: Viewing the public issue as "Mary Jane"
+    Given I sign in as "Mary Jane"
+    When I visit issue page "Public Issue 01"
+    Then I should see the "Fix NS-01" related merge request
+    And I should see a note linking to "Fix NS-01" merge request
+    And I should see a note linking to "Private Issue 01" issue
--- a/features/steps/project/issues/references.rb
+++ b/features/steps/project/issues/references.rb
@ -0,0 +1,106 @@
+class Spinach::Features::ProjectIssuesReferences < Spinach::FeatureSteps
+  include SharedAuthentication
+  include SharedNote
+  include SharedProject
+  include SharedUser
+
+  step 'project "Community" has "Public Issue 01" open issue' do
+    project = Project.find_by(name: 'Community')
+    create(:issue,
+           title: 'Public Issue 01',
+           project: project,
+           author: project.users.first,
+           description: '# Description header'
+          )
+  end
+
+  step 'project "Private Library" has "Fix NS-01" open merge request' do
+    project = Project.find_by(name: 'Private Library')
+    create(:merge_request,
+           title: 'Fix NS-01',
+           source_project: project,
+           target_project: project,
+           source_branch: 'fix',
+           target_branch: 'master',
+           author: project.users.first,
+           description: '# Description header'
+          )
+  end
+
+  step 'project "Private Library" has "Private Issue 01" open issue' do
+    project = Project.find_by(name: 'Private Library')
+    create(:issue,
+           title: 'Private Issue 01',
+           project: project,
+           author: project.users.first,
+           description: '# Description header'
+          )
+  end
+
+  step 'I leave a comment referencing issue "Public Issue 01" from "Fix NS-01" merge request' do
+    project = Project.find_by(name: 'Private Library')
+    issue = Issue.find_by!(title: 'Public Issue 01')
+
+    page.within(".js-main-target-form") do
+      fill_in "note[note]", with: "##{issue.to_reference(project)}"
+      click_button "Add Comment"
+    end
+  end
+
+  step 'I leave a comment referencing issue "Public Issue 01" from "Private Issue 01" issue' do
+    project = Project.find_by(name: 'Private Library')
+    issue = Issue.find_by!(title: 'Public Issue 01')
+
+    page.within(".js-main-target-form") do
+      fill_in "note[note]", with: "##{issue.to_reference(project)}"
+      click_button "Add Comment"
+    end
+  end
+
+  step 'I visit merge request page "Fix NS-01"' do
+    mr = MergeRequest.find_by(title: "Fix NS-01")
+    visit namespace_project_merge_request_path(mr.target_project.namespace, mr.target_project, mr)
+  end
+
+  step 'I visit issue page "Private Issue 01"' do
+    issue = Issue.find_by(title: "Private Issue 01")
+    visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
+  end
+
+  step 'I visit issue page "Public Issue 01"' do
+    issue = Issue.find_by(title: "Public Issue 01")
+    visit namespace_project_issue_path(issue.project.namespace, issue.project, issue)
+  end
+
+  step 'I should not see any related merge requests' do
+    page.within '.issue-details' do
+      expect(page).not_to have_content('.merge-requests')
+    end
+  end
+
+  step 'I should see the "Fix NS-01" related merge request' do
+    page.within '.merge-requests' do
+      expect(page).to have_content("1 Related Merge Request")
+      expect(page).to have_content('Fix NS-01')
+    end
+  end
+
+  step 'I should see a note linking to "Fix NS-01" merge request' do
+    project = Project.find_by(name: 'Community')
+    mr = MergeRequest.find_by(title: 'Fix NS-01')
+    page.within('.notes') do
+      expect(page).to have_content('Mary Jane')
+      expect(page).to have_content("mentioned in merge request #{mr.to_reference(project)}")
+    end
+  end
+
+  step 'I should see a note linking to "Private Issue 01" issue' do
+    project = Project.find_by(name: 'Community')
+    issue = Issue.find_by(title: 'Private Issue 01')
+    page.within('.notes') do
+      expect(page).to have_content('Mary Jane')
+      expect(page).to have_content("mentioned in issue #{issue.to_reference(project)}")
+    end
+  end
+
+end
--- a/features/steps/shared/note.rb
+++ b/features/steps/shared/note.rb
@ -106,6 +106,12 @@ module SharedNote
    end
  end

+  step 'I should see no notes at all' do
+    page.within('.notes') do
+      expect(page).to_not have_css('.note')
+    end
+  end
+
  # Markdown

  step 'I leave a comment with a header containing "Comment with a header"' do
--- a/features/steps/shared/project.rb
+++ b/features/steps/shared/project.rb
@ -181,6 +181,13 @@ module SharedProject
    project.team << [user, :master]
  end

+  step '"Mary Jane" owns private project "Private Library"' do
+    user = user_exists('Mary Jane', username: 'mary_jane')
+    project = Project.find_by(name: 'Private Library')
+    project ||= create(:project, name: 'Private Library', namespace: user.namespace)
+    project.team << [user, :master]
+  end
+
  step 'public empty project "Empty Public Project"' do
    create :project_empty_repo, :public, name: "Empty Public Project"
  end