...@@ -111,7 +111,7 @@ module IssuableActions ...@@ -111,7 +111,7 @@ module IssuableActions
end end
notes = prepare_notes_for_rendering(notes) notes = prepare_notes_for_rendering(notes)
notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } notes = notes.select { |n| n.visible_for?(current_user) }
discussions = Discussion.build_collection(notes, issuable) discussions = Discussion.build_collection(notes, issuable)
... ...
......
...@@ -29,7 +29,7 @@ module NotesActions ...@@ -29,7 +29,7 @@ module NotesActions
end end
notes = prepare_notes_for_rendering(notes) notes = prepare_notes_for_rendering(notes)
notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } notes = notes.select { |n| n.visible_for?(current_user) }
notes_json[:notes] = notes_json[:notes] =
if use_note_serializer? if use_note_serializer?
... ...
......
...@@ -327,6 +327,10 @@ class Note < ApplicationRecord ...@@ -327,6 +327,10 @@ class Note < ApplicationRecord
cross_reference? && !all_referenced_mentionables_allowed?(user) cross_reference? && !all_referenced_mentionables_allowed?(user)
end end
def visible_for?(user)
!cross_reference_not_visible_for?(user)
end
def award_emoji? def award_emoji?
can_be_award_emoji? && contains_emoji_only? can_be_award_emoji? && contains_emoji_only?
end end
... ...
......
---
title: Filter out old system notes for epics in notes api endpoint response
merge_request:
author:
type: security
...@@ -32,7 +32,7 @@ module API ...@@ -32,7 +32,7 @@ module API
.includes(:noteable) .includes(:noteable)
.fresh .fresh
notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } notes = notes.select { |n| n.visible_for?(current_user) }
discussions = Kaminari.paginate_array(Discussion.build_collection(notes, noteable)) discussions = Kaminari.paginate_array(Discussion.build_collection(notes, noteable))
present paginate(discussions), with: Entities::Discussion present paginate(discussions), with: Entities::Discussion
...@@ -233,7 +233,7 @@ module API ...@@ -233,7 +233,7 @@ module API
.includes(:noteable) .includes(:noteable)
.fresh .fresh
notes.reject { |n| n.cross_reference_not_visible_for?(current_user) } notes.select { |n| n.visible_for?(current_user) }
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
end end
... ...
......
...@@ -10,7 +10,7 @@ module API ...@@ -10,7 +10,7 @@ module API
end end
def update_note(noteable, note_id) def update_note(noteable, note_id)
note = noteable.notes.find(params[:note_id]) note = noteable.notes.find(note_id)
authorize! :admin_note, note authorize! :admin_note, note
...@@ -59,8 +59,8 @@ module API ...@@ -59,8 +59,8 @@ module API
end end
def get_note(noteable, note_id) def get_note(noteable, note_id)
note = noteable.notes.with_metadata.find(params[:note_id]) note = noteable.notes.with_metadata.find(note_id)
can_read_note = !note.cross_reference_not_visible_for?(current_user) can_read_note = note.visible_for?(current_user)
if can_read_note if can_read_note
present note, with: Entities::Note present note, with: Entities::Note
...@@ -81,6 +81,10 @@ module API ...@@ -81,6 +81,10 @@ module API
noteable || not_found!(noteable_type) noteable || not_found!(noteable_type)
end end
def reject_note?(noteable_type, noteable, parent_type, parent_id, note)
note.cross_reference_not_visible_for?(current_user)
end
def params_by_noteable_type_and_id(type, id) def params_by_noteable_type_and_id(type, id)
target_type = type.name.underscore target_type = type.name.underscore
{ target_type: target_type }.tap do |h| { target_type: target_type }.tap do |h|
... ...
......
...@@ -41,7 +41,7 @@ module API ...@@ -41,7 +41,7 @@ module API
# mismatch between the pagination headers info and the actual notes # mismatch between the pagination headers info and the actual notes
# array returned, but this is really a edge-case. # array returned, but this is really a edge-case.
paginate(raw_notes) paginate(raw_notes)
.reject { |n| n.cross_reference_not_visible_for?(current_user) } .select { |note| note.visible_for?(current_user) }
present notes, with: Entities::Note present notes, with: Entities::Note
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
... ...
......