From c400030d0f51c71f32990ab0ecfebfa245ed663e Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Fri, 23 Jun 2017 12:50:33 +0100
Subject: [PATCH] Don't count any confidential issues for non-project-members

---
 app/finders/issuable_finder.rb |  2 +-
 app/finders/issues_finder.rb   | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 558f8b5e2e5..e8605f3d5b3 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -62,7 +62,7 @@ class IssuableFinder
   # grouping and counting within that query.
   #
   def count_by_state
-    count_params = params.merge(state: nil, sort: nil)
+    count_params = params.merge(state: nil, sort: nil, for_counting: true)
     labels_count = label_names.any? ? label_names.count : 1
     finder = self.class.new(current_user, count_params)
     counts = Hash.new(0)
diff --git a/app/finders/issues_finder.rb b/app/finders/issues_finder.rb
index 328198c026a..b213a7aebfd 100644
--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -23,8 +23,8 @@ class IssuesFinder < IssuableFinder
   end
 
   def not_restricted_by_confidentiality
-    return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
     return Issue.all if user_can_see_all_confidential_issues?
+    return Issue.where('issues.confidential IS NOT TRUE') if user_cannot_see_confidential_issues?
 
     Issue.where('
       issues.confidential IS NOT TRUE
@@ -37,16 +37,19 @@ class IssuesFinder < IssuableFinder
   end
 
   def user_can_see_all_confidential_issues?
-    return false unless current_user
-    return true if current_user.full_private_access?
+    return @user_can_see_all_confidential_issues = false if current_user.blank?
+    return @user_can_see_all_confidential_issues = true if current_user.full_private_access?
 
-    project? &&
+    @user_can_see_all_confidential_issues =
+      project? &&
       project &&
       project.team.max_member_access(current_user.id) >= CONFIDENTIAL_ACCESS_LEVEL
   end
 
   def user_cannot_see_confidential_issues?
-    current_user.blank?
+    return false if user_can_see_all_confidential_issues?
+
+    current_user.blank? || params[:for_counting]
   end
 
   private