Douwe Maan authored
Replace issue access checks with use of IssuableFinder Split from !2024 to partially solve https://gitlab.com/gitlab-org/gitlab-ce/issues/23867 ## Which fixes are in this MR?
⚠- Potentially untested 💣- No test coverage 🚥- Test coverage of some sort exists (a test failed when error raised) 🚦- Test coverage of return value (a test failed when nil used) ✅- Permissions check tested ### Issue lookup with access check Using `visible_to_user` likely makes these security issues too. See [Code smells](#code-smells). - [x] 🚦app/finders/notes_finder.rb:15 [`visible_to_user`] - [x] 🚥app/views/layouts/nav/_project.html.haml:73 [`visible_to_user`] [`.count`] - [x] ✅app/services/merge_requests/build_service.rb:84 [`issue.try(:confidential?)`] - [x] ✅lib/api/issues.rb:112 [`visible_to_user`] - CHANGELOG: Prevented API returning issues set to 'Only team members' to everyone - [x] ✅lib/api/helpers.rb:126 [`can?(current_user, :read_issue, issue)`] Maybe here too? - [x] ✅lib/gitlab/search_results.rb:53 [`visible_to_user`] ### Previous discussions - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#b2ff264eddf9819d7693c14ae213d941494fe2b3_128_126 - [ ] https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2024/diffs#7b6375270d22f880bdcb085e47b519b426a5c6c7_87_87 See merge request !20313bf34fac