From e60ec75303475083746e2d09d2a99cc5c6ea0221 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jarka=20Kadlecov=C3=A1?= <jarka@gitlab.com>
Date: Tue, 17 Jul 2018 16:16:46 +0200
Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20do=20authorisation=20checks=20f?=
 =?UTF-8?q?or=20todos?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/finders/todos_finder.rb       | 19 -------------------
 spec/finders/todos_finder_spec.rb | 26 --------------------------
 2 files changed, 45 deletions(-)

diff --git a/app/finders/todos_finder.rb b/app/finders/todos_finder.rb
index 2156413fb26..c505a5cc8d5 100644
--- a/app/finders/todos_finder.rb
+++ b/app/finders/todos_finder.rb
@@ -39,7 +39,6 @@ class TodosFinder
     # Filtering by project HAS TO be the last because we use
     # the project IDs yielded by the todos query thus far
     items = by_project(items)
-    items = visible_to_user(items)
 
     sort(items)
   end
@@ -96,10 +95,6 @@ class TodosFinder
       @project = Project.find(params[:project_id])
 
       @project = nil if @project.pending_delete?
-
-      unless Ability.allowed?(current_user, :read_project, @project)
-        @project = nil
-      end
     else
       @project = nil
     end
@@ -170,20 +165,6 @@ class TodosFinder
     items
   end
 
-  def visible_to_user(items)
-    projects = Project.public_or_visible_to_user(current_user)
-    groups = Group.public_or_visible_to_user(current_user)
-
-    items
-      .joins('LEFT JOIN namespaces ON namespaces.id = todos.group_id')
-      .joins('LEFT JOIN projects ON projects.id = todos.project_id')
-      .where(
-        'project_id IN (?) OR group_id IN (?)',
-        projects.select(:id),
-        groups.select(:id)
-      )
-  end
-
   def by_state(items)
     case params[:state].to_s
     when 'done'
diff --git a/spec/finders/todos_finder_spec.rb b/spec/finders/todos_finder_spec.rb
index 6061021d3b0..7f7cfb2cb98 100644
--- a/spec/finders/todos_finder_spec.rb
+++ b/spec/finders/todos_finder_spec.rb
@@ -14,32 +14,6 @@ describe TodosFinder do
     end
 
     describe '#execute' do
-      context 'visibility' do
-        let(:private_group_access) { create(:group, :private) }
-        let(:private_group_hidden) { create(:group, :private) }
-        let(:public_project) { create(:project, :public) }
-        let(:private_project_hidden) { create(:project) }
-        let(:public_group) { create(:group) }
-
-        let!(:todo1) { create(:todo, user: user, project: project, group: nil) }
-        let!(:todo2) { create(:todo, user: user, project: public_project, group: nil) }
-        let!(:todo3) { create(:todo, user: user, project: private_project_hidden, group: nil) }
-        let!(:todo4) { create(:todo, user: user, project: nil, group: group) }
-        let!(:todo5) { create(:todo, user: user, project: nil, group: private_group_access) }
-        let!(:todo6) { create(:todo, user: user, project: nil, group: private_group_hidden) }
-        let!(:todo7) { create(:todo, user: user, project: nil, group: public_group) }
-
-        before do
-          private_group_access.add_developer(user)
-        end
-
-        it 'returns only todos with a target a user has access to' do
-          todos = finder.new(user).execute
-
-          expect(todos).to match_array([todo1, todo2, todo4, todo5, todo7])
-        end
-      end
-
       context 'filtering' do
         let!(:todo1) { create(:todo, user: user, project: project, target: issue) }
         let!(:todo2) { create(:todo, user: user, group: group, target: merge_request) }