Filter out old system notes for epics

c9b4dc67 · Patrick Derichs · 20920f80 · c9b4dc67 · c9b4dc67 · c9b4dc67
7 changed file
--- a/app/controllers/concerns/issuable_actions.rb
+++ b/app/controllers/concerns/issuable_actions.rb
@@ -110,7 +110,7 @@ module IssuableActions
    end
    notes = prepare_notes_for_rendering(notes)
-    notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+    notes = notes.select { |n| n.visible_for?(current_user) }
    discussions = Discussion.build_collection(notes, issuable)

--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -29,7 +29,7 @@ module NotesActions
    end
    notes = prepare_notes_for_rendering(notes)
-    notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+    notes = notes.select { |n| n.visible_for?(current_user) }
    notes_json[:notes] =
      if use_note_serializer?

--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -331,6 +331,10 @@ class Note < ApplicationRecord
    cross_reference? && !all_referenced_mentionables_allowed?(user)
  end
+  def visible_for?(user)
+    !cross_reference_not_visible_for?(user)
+  end
  def award_emoji?
    can_be_award_emoji? && contains_emoji_only?
  end

--- a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml
+++ b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml
+---
+title: Filter out old system notes for epics in notes api endpoint response
+merge_request:
+author:
+type: security
--- a/lib/api/discussions.rb
+++ b/lib/api/discussions.rb
@@ -239,7 +239,7 @@ module API
        # because notes are redacted if they point to projects that
        # cannot be accessed by the user.
        notes = prepare_notes_for_rendering(notes)
-        notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+        notes.select { |n| n.visible_for?(current_user) }
      end
      # rubocop: enable CodeReuse/ActiveRecord
    end

--- a/lib/api/helpers/notes_helpers.rb
+++ b/lib/api/helpers/notes_helpers.rb
@@ -12,7 +12,7 @@ module API
      end
      def update_note(noteable, note_id)
-        note = noteable.notes.find(params[:note_id])
+        note = noteable.notes.find(note_id)
        authorize! :admin_note, note
@@ -61,8 +61,8 @@ module API
      end
      def get_note(noteable, note_id)
-        note = noteable.notes.with_metadata.find(params[:note_id])
+        note = noteable.notes.with_metadata.find(note_id)
-        can_read_note = !note.cross_reference_not_visible_for?(current_user)
+        can_read_note = note.visible_for?(current_user)
        if can_read_note
          present note, with: Entities::Note

--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
@@ -42,7 +42,7 @@ module API
          # array returned, but this is really a edge-case.
          notes = paginate(raw_notes)
          notes = prepare_notes_for_rendering(notes)
-          notes = notes.reject { |n| n.cross_reference_not_visible_for?(current_user) }
+          notes = notes.select { |note| note.visible_for?(current_user) }
          present notes, with: Entities::Note
        end
        # rubocop: enable CodeReuse/ActiveRecord