Merge branch 'es-confidential-issues-in-private-projects' into 'master'

ES: Project members with guest role can't access confidential issues ## What does this MR do? Restrict access to confidential issues to team members with at least Reporter access when performing search using Elasticsearch. Allow users to create confidential issues in private projects, and exclude access to them to project members with `Guest` role. ## Are there points in the code the reviewer needs to double check? The query generated in the `Elastic::NotesSearch.elastic_search` method. ## Why was this MR needed? Confidential issues should only be visible to team members with at least Reporter access. ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/14787 ## Screenshots (if relevant) Not relevant. See merge request !471

Merge branch 'es-confidential-issues-in-private-projects' into 'master'
ES: Project members with guest role can't access confidential issues ## What does this MR do? Restrict access to confidential issues to team members with at least Reporter access when performing search using Elasticsearch. Allow users to create confidential issues in private projects, and exclude access to them to project members with `Guest` role. ## Are there points in the code the reviewer needs to double check? The query generated in the `Elastic::NotesSearch.elastic_search` method. ## Why was this MR needed? Confidential issues should only be visible to team members with at least Reporter access. ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/14787 ## Screenshots (if relevant) Not relevant. See merge request !471
8055ca04 · Valery Sizov · 942b11ab · 70ab0e7e · 8055ca04 · 8055ca04
Commit 8055ca04 authored Jun 17, 2016 by Valery Sizov
5 changed files
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
@@ -9,6 +9,7 @@ v 8.9.0 (unreleased)
  - Distribute RepositoryUpdateMirror jobs in time and add exclusive lease on them by project_id
  - [Elastic] Move ES settings to application settings
  - Disable mirror flag for projects without import_url
+  - [Elastic] Project members with guest role can't access confidential issues

 v 8.8.5
  - Make sure OAuth routes that we generate for Geo matches with the ones in Rails routes !444

--- a/app/models/concerns/elastic/issues_search.rb
+++ b/app/models/concerns/elastic/issues_search.rb
@@ -69,7 +69,7 @@ module Elastic
                                   should: [
                                     { term: { author_id: current_user.id } },
                                     { term: { assignee_id: current_user.id } },
-                                     { terms: { project_id: current_user.authorized_projects.pluck(:id) } }
+                                     { terms: { project_id: current_user.authorized_projects(Gitlab::Access::REPORTER).pluck(:id) } }
                                   ]
                                 }
                               }

--- a/app/models/concerns/elastic/notes_search.rb
+++ b/app/models/concerns/elastic/notes_search.rb
@@ -92,7 +92,7 @@ module Elastic
                    should: [
                      { term: { "issue.author_id" => current_user.id } },
                      { term: { "issue.assignee_id" => current_user.id } },
-                      { terms: { "issue.project_id" => current_user.authorized_projects.pluck(:id) } }
+                      { terms: { "project_id" => current_user.authorized_projects(Gitlab::Access::REPORTER).pluck(:id) } }
                    ]
                  }
                }

--- a/spec/lib/gitlab/elastic/project_search_results_spec.rb
+++ b/spec/lib/gitlab/elastic/project_search_results_spec.rb
@@ -122,6 +122,18 @@ describe Gitlab::Elastic::ProjectSearchResults, lib: true do
      expect(results.issues_count).to eq 3
    end

+    it 'should not list project confidential issues for project members with guest role' do
+      project.team << [member, :guest]
+
+      results = described_class.new(member, project.id, query)
+      issues = results.objects('issues')
+
+      expect(issues).to include issue
+      expect(issues).not_to include security_issue_1
+      expect(issues).not_to include security_issue_2
+      expect(results.issues_count).to eq 1
+    end
+
    it 'should list all project issues for admin' do
      results = described_class.new(admin, project.id, query)
      issues = results.objects('issues')

--- a/spec/models/concerns/elastic/note_spec.rb
+++ b/spec/models/concerns/elastic/note_spec.rb
@@ -78,5 +78,39 @@ describe Note, elastic: true do

      expect(Note.elastic_search('term', options: options).total_count).to eq(1)
    end
+
+    it "return notes with matching content for project members" do
+      user = create :user
+      issue = create :issue, :confidential, author: user
+
+      member = create(:user)
+      issue.project.team << [member, :developer]
+
+      create :note, note: 'bla-bla term', project: issue.project, noteable: issue
+      create :note, project: issue.project, noteable: issue
+
+      Note.__elasticsearch__.refresh_index!
+
+      options = { project_ids: [issue.project.id], current_user: member }
+
+      expect(Note.elastic_search('term', options: options).total_count).to eq(1)
+    end
+
+    it "does not return notes with matching content for project members with guest role" do
+      user = create :user
+      issue = create :issue, :confidential, author: user
+
+      member = create(:user)
+      issue.project.team << [member, :guest]
+
+      create :note, note: 'bla-bla term', project: issue.project, noteable: issue
+      create :note, project: issue.project, noteable: issue
+
+      Note.__elasticsearch__.refresh_index!
+
+      options = { project_ids: [issue.project.id], current_user: member }
+
+      expect(Note.elastic_search('term', options: options).total_count).to eq(0)
+    end
  end
 end