Merge branch 'security-epic-notes-api-reveals-historical-info-ce-12-1' into '12-1-stable'

Filter out old system notes for epics in notes api endpoint response

See merge request gitlab/gitlabhq!3310

app/controllers/concerns/issuable_actions.rb

@@ -111,7 +111,7 @@ module IssuableActions
     end
 
     notes = prepare_notes_for_rendering(notes)
-    notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+    notes = notes.select { |n| n.visible_for?(current_user) }
 
     discussions = Discussion.build_collection(notes, issuable)
 

app/controllers/concerns/notes_actions.rb

@@ -29,7 +29,7 @@ module NotesActions
     end
 
     notes = prepare_notes_for_rendering(notes)
-    notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+    notes = notes.select { |n| n.visible_for?(current_user) }
 
     notes_json[:notes] =
       if use_note_serializer?

app/models/note.rb

@@ -327,6 +327,10 @@ class Note < ApplicationRecord
     cross_reference? && !all_referenced_mentionables_allowed?(user)
   end
 
+  def visible_for?(user)
+    !cross_reference_not_visible_for?(user)
+  end
+
   def award_emoji?
     can_be_award_emoji? && contains_emoji_only?
   end

changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml

+---
+title: Filter out old system notes for epics in notes api endpoint response
+merge_request:
+author:
+type: security

lib/api/discussions.rb

@@ -32,7 +32,7 @@ module API
             .includes(:noteable)
             .fresh
 
-          notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+          notes = notes.select { |n| n.visible_for?(current_user) }
           discussions = Kaminari.paginate_array(Discussion.build_collection(notes, noteable))
 
           present paginate(discussions), with: Entities::Discussion
@@ -233,7 +233,7 @@ module API
           .includes(:noteable)
           .fresh
 
-        notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+        notes.select { |n| n.visible_for?(current_user) }
       end
       # rubocop: enable CodeReuse/ActiveRecord
     end

lib/api/helpers/notes_helpers.rb

@@ -10,7 +10,7 @@ module API
       end
 
       def update_note(noteable, note_id)
-        note = noteable.notes.find(params[:note_id])
+        note = noteable.notes.find(note_id)
 
         authorize! :admin_note, note
 
@@ -59,8 +59,8 @@ module API
       end
 
       def get_note(noteable, note_id)
-        note = noteable.notes.with_metadata.find(params[:note_id])
-        can_read_note = !note.cross_reference_not_visible_for?(current_user)
+        note = noteable.notes.with_metadata.find(note_id)
+        can_read_note = note.visible_for?(current_user)
 
         if can_read_note
           present note, with: Entities::Note
@@ -81,6 +81,10 @@ module API
         noteable || not_found!(noteable_type)
       end
 
+      def reject_note?(noteable_type, noteable, parent_type, parent_id, note)
+        note.cross_reference_not_visible_for?(current_user)
+      end
+
       def params_by_noteable_type_and_id(type, id)
         target_type = type.name.underscore
         { target_type: target_type }.tap do |h|

lib/api/notes.rb

@@ -41,7 +41,7 @@ module API
             # mismatch between the pagination headers info and the actual notes
             # array returned, but this is really a edge-case.
             paginate(raw_notes)
-            .reject { |n| n.cross_reference_not_visible_for?(current_user) }
+            .select { |note| note.visible_for?(current_user) }
           present notes, with: Entities::Note
         end
         # rubocop: enable CodeReuse/ActiveRecord