Restrict access for confidential issues on autocomplete

app/controllers/projects_controller.rb

@@ -135,7 +135,7 @@ class ProjectsController < ApplicationController
   def autocomplete_sources
     note_type = params['type']
     note_id = params['type_id']
-    autocomplete = ::Projects::AutocompleteService.new(@project)
+    autocomplete = ::Projects::AutocompleteService.new(@project, current_user)
     participants = ::Projects::ParticipantsService.new(@project, current_user).execute(note_type, note_id)
 
     @suggestions = {

app/models/issue.rb

@@ -45,7 +45,6 @@ class Issue < ActiveRecord::Base
   scope :cared, ->(user) { where(assignee_id: user) }
   scope :open_for, ->(user) { opened.assigned_to(user) }
   scope :in_projects, ->(project_ids) { where(project_id: project_ids) }
-  scope :not_confidential, -> { where(confidential: false) }
 
   state_machine :state, initial: :opened do
     event :close do
@@ -66,7 +65,7 @@ class Issue < ActiveRecord::Base
   end
 
   def self.available_for(user)
-    return not_confidential if user.blank?
+    return where(confidential: false) if user.blank?
     return all if user.admin?
 
     issues_table = self.arel_table

app/services/projects/autocomplete_service.rb

 module Projects
   class AutocompleteService < BaseService
-    def initialize(project)
-      @project = project
-    end
-
     def issues
-      @project.issues.not_confidential.opened.select([:iid, :title])
+      @project.issues.available_for(current_user).opened.select([:iid, :title])
     end
 
     def merge_requests

spec/services/projects/autocomplete_service_spec.rb

 require 'spec_helper'
 
 describe Projects::AutocompleteService, services: true do
+  describe '#issues' do
+    describe 'confidential issues' do
+      let(:author) { create(:user) }
+      let(:assignee) { create(:user) }
+      let(:non_member) { create(:user) }
+      let(:member) { create(:user) }
+      let(:admin) { create(:admin) }
       let(:project) { create(:empty_project, :public) }
+      let!(:issue) { create(:issue, project: project, title: 'Issue 1') }
+      let!(:security_issue_1) { create(:issue, :confidential, project: project, title: 'Security issue 1', author: author) }
+      let!(:security_issue_2) { create(:issue, :confidential, title: 'Security issue 2', project: project, assignee: assignee) }
 
-  subject(:autocomplete) { described_class.new(project) }
+      it 'should not list project confidential issues for guests' do
+        autocomplete = described_class.new(project, nil)
+        issues = autocomplete.issues.map(&:iid)
 
-  describe '#issues' do
-    it 'should not list confidential issues' do
-      issue = create(:issue, project: project)
-      create(:issue, :confidential, project: project)
+        expect(issues).to include issue.iid
+        expect(issues).not_to include security_issue_1.iid
+        expect(issues).not_to include security_issue_2.iid
+        expect(issues.count).to eq 1
+      end
+
+      it 'should not list project confidential issues for non project members' do
+        autocomplete = described_class.new(project, non_member)
+        issues = autocomplete.issues.map(&:iid)
+
+        expect(issues).to include issue.iid
+        expect(issues).not_to include security_issue_1.iid
+        expect(issues).not_to include security_issue_2.iid
+        expect(issues.count).to eq 1
+      end
+
+      it 'should list project confidential issues for author' do
+        autocomplete = described_class.new(project, author)
+        issues = autocomplete.issues.map(&:iid)
+
+        expect(issues).to include issue.iid
+        expect(issues).to include security_issue_1.iid
+        expect(issues).not_to include security_issue_2.iid
+        expect(issues.count).to eq 2
+      end
 
-      expect(autocomplete.issues.map(&:iid)).to eq [issue.iid]
+      it 'should list project confidential issues for assignee' do
+        autocomplete = described_class.new(project, assignee)
+        issues = autocomplete.issues.map(&:iid)
+
+        expect(issues).to include issue.iid
+        expect(issues).not_to include security_issue_1.iid
+        expect(issues).to include security_issue_2.iid
+        expect(issues.count).to eq 2
+      end
+
+      it 'should list project confidential issues for project members' do
+        project.team << [member, :developer]
+
+        autocomplete = described_class.new(project, member)
+        issues = autocomplete.issues.map(&:iid)
+
+        expect(issues).to include issue.iid
+        expect(issues).to include security_issue_1.iid
+        expect(issues).to include security_issue_2.iid
+        expect(issues.count).to eq 3
+      end
+
+      it 'should list all project issues for admin' do
+        autocomplete = described_class.new(project, admin)
+        issues = autocomplete.issues.map(&:iid)
+
+        expect(issues).to include issue.iid
+        expect(issues).to include security_issue_1.iid
+        expect(issues).to include security_issue_2.iid
+        expect(issues.count).to eq 3
+      end
     end
   end
 end