Add class method to restrict access to issues and avoid code duplication

5c4026cc · Douglas Barbosa Alexandre · 3d244b4c · 5c4026cc · 5c4026cc · 5c4026cc
Commit 5c4026cc authored Mar 02, 2016 by Douglas Barbosa Alexandre
6 changed files
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -40,7 +40,6 @@ class IssuableFinder
    items = by_author(items)
    items = by_label(items)
    items = by_weight(items)
-    items = by_confidentiality(items)
    sort(items)
  end
@@ -309,26 +308,6 @@ class IssuableFinder
    params[:weight] == Issue::WEIGHT_ANY
  end
-  def by_confidentiality(items)
-    return items unless klass == Issue
-    if current_user
-      if current_user.admin? || project.team.member?(current_user.id)
-        items
-      else
-        issuable_table = items.arel_table
-        items.where(
-          issuable_table[:confidential].eq(false).or(
-            issuable_table[:confidential].eq(true).and(issuable_table[:author_id].eq(current_user.id))
-          )
-        )
-      end
-    else
-      items.not_confidential
-    end
-  end
  def label_names
    params[:label_name].split(',')
  end

--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -19,4 +19,10 @@ class IssuesFinder < IssuableFinder
  def klass
    Issue
  end
+  private
+  def init_collection
+    Issue.available_for(current_user)
+  end
 end
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -65,6 +65,24 @@ class Issue < ActiveRecord::Base
    attributes
  end
+  def self.available_for(user)
+    return not_confidential if user.blank?
+    return all if user.admin?
+    issues_table = self.arel_table
+    project_ids  = user.authorized_projects.pluck(:id)
+    where(
+      issues_table[:confidential].eq(false).or(
+        issues_table[:confidential].eq(true).and(
+          issues_table[:author_id].eq(user.id).or(
+            issues_table[:project_id].in(project_ids)
+          )
+        )
+      )
+    )
+  end
  def self.reference_prefix
    '#'
  end

--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -22,20 +22,6 @@ module API
        issues.includes(:milestone).where('milestones.title' => milestone)
      end
-      def filter_issues_confidentiality(issues)
-        if current_user.admin? || user_project.team.member?(current_user.id)
-          issues
-        else
-          issuable_table = issues.arel_table
-          issues.where(
-            issuable_table[:confidential].eq(false).or(
-              issuable_table[:author_id].eq(current_user.id).and(issuable_table[:confidential].eq(true))
-            )
-          )
-        end
-      end
      def create_spam_log(project, current_user, attrs)
        params = attrs.merge({
          source_ip: env['REMOTE_ADDR'],
@@ -96,11 +82,10 @@ module API
      #   GET /projects/:id/issues?milestone=1.0.0&state=closed
      #   GET /issues?iid=42
      get ":id/issues" do
-        issues = user_project.issues
+        issues = user_project.issues.available_for(current_user)
        issues = filter_issues_state(issues, params[:state]) unless params[:state].nil?
        issues = filter_issues_labels(issues, params[:labels]) unless params[:labels].nil?
        issues = filter_by_iid(issues, params[:iid]) unless params[:iid].nil?
-        issues = filter_issues_confidentiality(issues)
        unless params[:milestone].nil?
          issues = filter_issues_milestone(issues, params[:milestone])

--- a/lib/gitlab/project_search_results.rb
+++ b/lib/gitlab/project_search_results.rb
@@ -85,28 +85,6 @@ module Gitlab
      end
    end
-    def issues
-      issues = Issue.where(project_id: project_ids_relation)
-      unless user.admin? || project.team.member?(user.id)
-        issuable_table = issues.arel_table
-        issues = issues.where(
-          issuable_table[:confidential].eq(false).or(
-            issuable_table[:confidential].eq(true).and(issuable_table[:author_id].eq(user.id))
-          )
-        )
-      end
-      if query =~ /#(\d+)\z/
-        issues = issues.where(iid: $1)
-      else
-        issues = issues.full_search(query)
-      end
-      issues.order('updated_at DESC')
-    end
    def project_ids_relation
      project
    end

--- a/lib/gitlab/search_results.rb
+++ b/lib/gitlab/search_results.rb
@@ -59,22 +59,7 @@ module Gitlab
    end
    def issues
-      issues = Issue.where(project_id: project_ids_relation)
+      issues = Issue.available_for(user).where(project_id: project_ids_relation)
-      unless user.admin?
-        issues_table = issues.arel_table
-        authorized_projects_ids = user.authorized_projects.pluck(:id)
-        issues = issues.where(
-          issues_table[:confidential].eq(false).or(
-            issues_table[:confidential].eq(true).and(
-              issues_table[:author_id].eq(user.id).or(
-                issues_table[:project_id].in(authorized_projects_ids)
-              )
-            )
-          )
-        )
-      end
      if query =~ /#(\d+)\z/
        issues = issues.where(iid: $1)