Remove project from NotesFinder constructor
Add project parameter to specs
Also look for methods in private scope
Fix specs to match new NotesFinder constructor
Add spec for concern IssuableActions
Add shared samples for discussions endpoint
Add schema validations for discussions
Fix rubocop style issue
Make target assignable
Use new possibility to provide target
Fix missing iid query on NotesFinder
Changed parameters of find_noteable,
so changes across a few files were needed.
MergeRequest also requires iid instead of id query
Make NotesFinder fail with RecordNotFound again
Add specs for target_iid
Using RSpec tablesyntax for target_iid specs
Revert "Using RSpec tablesyntax for target_iid specs"
This reverts commit ba45c7f569a.
Allow find_by! here
Fix variable name
Add readable check
Revert "Add readable check"
This reverts commit 9e3a1a7aa39.
Remove unnecessary assignment
Add required changes for EE
Fix parameter count
Reduce code duplication by extracting a noteable module method
The call to find_noteable was redundant so
multiple files and lines have changed in that
commit to use the newly introduced module
method `noteable`.
Replace casecmp with include check
Add parent_type parameter
Revert "Reduce code duplication by extracting
a noteable module method"
This reverts commit 8c0923babf.
Method is no longer needed
Check whether noteable can be read by user
Fix missing Note access checks in by moving Note#search to updated NoteFinder
Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867
## Which fixes are in this MR?
⚠️ - Potentially untested
💣 - No test coverage
🚥 - Test coverage of some sort exists (a test failed when error raised)
🚦 - Test coverage of return value (a test failed when nil used)
✅ - Permissions check tested
### Note lookup without access check
- [x] ✅ app/finders/notes_finder.rb:13 :download_code check
- [x] ✅ app/finders/notes_finder.rb:19 `SnippetsFinder`
- [x] ✅ app/models/note.rb:121 [`Issue#visible_to_user`]
- [x] ✅ lib/gitlab/project_search_results.rb:113
- This is the only use of `app/models/note.rb:121` above, but importantly has no access checks at all. This means it leaks MR comments and snippets when those features are `team-only` in addition to the issue comments which would be fixed by `app/models/note.rb:121`.
- It is only called from SearchController where `can?(current_user, :download_code, @project)` is checked, so commit comments are not leaked.
### Previous discussions
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_13_13 `: download_code` check on commit
- [x] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b915c5267a63628b0bafd23d37792ae73ceae272_19_19 `SnippetsFinder` should be used
- `SnippetsFinder` should check if the snippets feature is enabled -> https://gitlab.com/gitlab-org/gitlab-ce/issues/25223
### Acceptance criteria met?
- [x] Tests added for new code
- [x] TODO comments removed
- [x] Squashed and removed skipped tests
- [x] Changelog entry
- [ ] State Gitlab versions affected and issue severity in description
- [ ] Create technical debt issue for NotesFinder.
- Either split into `NotesFinder::ForTarget` and `NotesFinder::Search` or consider object per notable type such as `NotesFinder::OnIssue`. For the first option could create `NotesFinder::Base` which is either inherited from or which can be included in the other two.
- Avoid case statement anti-pattern in this finder with use of `NotesFinder::OnCommit` etc. Consider something on the finder for this? `Model.finder(user, project)`
- Move `inc_author` to the controller, and implement `related_notes` to replace `non_diff_notes`/`mr_and_commit_notes`
See merge request !2035
GitLab Bot
Patrick Derichs
Stan Hu
Rémy Coutable
Felipe Artur
Oswaldo Ferreira
Mark Chao
Jan Provaznik
blackst0ne
Robert Speicher
Jarka Kadlecova
Douwe Maan
Semyon Pupkov
Douwe Maan
tiagonbotelho
Douglas Barbosa Alexandre
Jeroen van Baarsen
Jacob Vosmaer