Add validation for confidentiality notes

* only epic/issue notes can be confidential * only notes/discussion notes can be confidential Changelog: changed

Add validation for confidentiality notes
* only epic/issue notes can be confidential * only notes/discussion notes can be confidential Changelog: changed
a839c720 · Jan Provaznik · Pavel Shutsin · 86773e31 · a839c720 · a839c720
Commit a839c720 authored Apr 08, 2022 by Jan Provaznik Committed by Pavel Shutsin Apr 08, 2022
17 changed files
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -35,6 +35,8 @@ class Note < ApplicationRecord
    contact: :read_crm_contact
  }.freeze
+  NON_DIFF_NOTE_TYPES = ['Note', 'DiscussionNote', nil].freeze
  # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
  # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102
  alias_attribute :last_edited_by, :updated_by
@@ -97,6 +99,9 @@ class Note < ApplicationRecord
  validates :author, presence: true
  validates :discussion_id, presence: true, format: { with: /\A\h{40}\z/ }
+  validate :ensure_confidentiality_discussion_compliance
+  validate :ensure_noteable_can_have_confidential_note
+  validate :ensure_note_type_can_be_confidential
  validate :ensure_confidentiality_not_changed, on: :update
  validate unless: [:for_commit?, :importing?, :skip_project_check?] do |note|
@@ -143,7 +148,7 @@ class Note < ApplicationRecord
  scope :diff_notes, -> { where(type: %w(LegacyDiffNote DiffNote)) }
  scope :new_diff_notes, -> { where(type: 'DiffNote') }
-  scope :non_diff_notes, -> { where(type: ['Note', 'DiscussionNote', nil]) }
+  scope :non_diff_notes, -> { where(type: NON_DIFF_NOTE_TYPES) }
  scope :with_associations, -> do
    # FYI noteable cannot be loaded for LegacyDiffNote for commits
@@ -460,7 +465,7 @@ class Note < ApplicationRecord
  # and all its notes and if we don't care about the discussion's resolvability status.
  def discussion
    strong_memoize(:discussion) do
-      full_discussion = self.noteable.notes.find_discussion(self.discussion_id) if part_of_discussion?
+      full_discussion = self.noteable.notes.find_discussion(self.discussion_id) if self.noteable && part_of_discussion?
      full_discussion || to_discussion
    end
  end
@@ -727,6 +732,35 @@ class Note < ApplicationRecord
    errors.add(:confidential, _('can not be changed for existing notes'))
  end
+  def ensure_confidentiality_discussion_compliance
+    return if start_of_discussion?
+    if discussion.first_note.confidential? != confidential?
+      errors.add(:confidential, _('reply should have same confidentiality as top-level note'))
+    end
+  ensure
+    clear_memoization(:discussion)
+  end
+  def ensure_noteable_can_have_confidential_note
+    return unless confidential?
+    return if noteable_can_have_confidential_note?
+    errors.add(:confidential, _('can not be set for this resource'))
+  end
+  def ensure_note_type_can_be_confidential
+    return unless confidential?
+    return if NON_DIFF_NOTE_TYPES.include?(type)
+    errors.add(:confidential, _('can not be set for this type of note'))
+  end
+  def noteable_can_have_confidential_note?
+    for_issue?
+  end
 end
 Note.prepend_mod_with('Note')
--- a/ee/app/models/ee/note.rb
+++ b/ee/app/models/ee/note.rb
@@ -103,5 +103,10 @@ module EE
    def banzai_context_params
      { group: noteable.group, label_url_method: :group_epics_url }
    end
+    override :noteable_can_have_confidential_note?
+    def noteable_can_have_confidential_note?
+      for_epic? || super
+    end
  end
 end
--- a/ee/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
@@ -6,12 +6,14 @@ RSpec.describe 'Adding a Note to an Epic' do
  include GraphqlHelpers
  let_it_be(:current_user) { create(:user) }
+  let_it_be(:group) { create(:group, :private) }
+  let_it_be(:epic) { create(:epic, group: group) }
-  let(:epic) { create(:epic, group: group) }
  let(:mutation) do
    variables = {
      noteable_id: GitlabSchema.id_from_object(epic).to_s,
-      body: 'Body text'
+      body: 'Body text',
+      confidential: true
    }
    graphql_mutation(:create_note, variables)
@@ -26,14 +28,14 @@ RSpec.describe 'Adding a Note to an Epic' do
  end
  context 'when the user does not have permission' do
-    let(:group) { create(:group, :private) }
    it_behaves_like 'a Note mutation when the user does not have permission'
  end
  context 'when the user has permission' do
-    let(:group) { create(:group, :public) }
+    before do
+      group.add_developer(current_user)
+    end
-    it_behaves_like 'a Note mutation that creates a Note'
+    it_behaves_like 'a Note mutation with confidential notes'
  end
 end
--- a/ee/spec/requests/api/notes_spec.rb
+++ b/ee/spec/requests/api/notes_spec.rb
@@ -21,7 +21,7 @@ RSpec.describe API::Notes do
      stub_licensed_features(epics: true)
    end
-    it_behaves_like "noteable API", 'groups', 'epics', 'id' do
+    it_behaves_like "noteable API with confidential notes", 'groups', 'epics', 'id' do
      let(:parent) { group }
      let(:noteable) { epic }
      let(:note) { epic_note }

--- a/ee/spec/services/search/global_service_spec.rb
+++ b/ee/spec/services/search/global_service_spec.rb
@@ -396,21 +396,9 @@ RSpec.describe Search::GlobalService do
    let_it_be(:project) { create(:project, :public, :repository) }
    context 'with notes on issues' do
-      let(:noteable) { create :issue, project: project }
+      let(:noteable) { create(:issue, project: project) }
-      it_behaves_like 'search notes shared examples', :note_on_issue
+      it_behaves_like 'search confidential notes shared examples', :note_on_issue
-    end
-    context 'with notes on merge requests' do
-      let(:noteable) { create :merge_request, target_project: project, source_project: project }
-      it_behaves_like 'search notes shared examples', :note_on_merge_request
-    end
-    context 'with notes on commits' do
-      let(:noteable) { create(:commit, project: project) }
-      it_behaves_like 'search notes shared examples', :note_on_commit
    end
  end
 end
--- a/ee/spec/support/shared_examples/services/search_notes_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/search_notes_shared_examples.rb
 # frozen_string_literal: true
-RSpec.shared_examples 'search notes shared examples' do
+RSpec.shared_examples 'search confidential notes shared examples' do
  context 'notes confidentiality', :elastic, :sidekiq_inline do
    let_it_be(:user) { create(:user) }
@@ -42,7 +42,7 @@ RSpec.shared_examples 'search notes shared examples' do
      end
    end
-    # For now only issues can be confidential and have confidential notes,
+    # For now only issues and epics can be confidential and have confidential notes,
    # these specs are here to make sure not confidential notes on confidential issues
    # does not get leaked when mixed with other issuable notes.
    context 'with additional notes on a confidential issue' do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -43908,6 +43908,12 @@ msgstr ""
 msgid "can not be changed for existing notes"
 msgstr ""
+msgid "can not be set for this resource"
+msgstr ""
+msgid "can not be set for this type of note"
+msgstr ""
 msgid "can only be changed by a group admin."
 msgstr ""
@@ -45390,6 +45396,9 @@ msgid_plural "replies"
 msgstr[0] ""
 msgstr[1] ""
+msgid "reply should have same confidentiality as top-level note"
+msgstr ""
 msgid "repositories"
 msgstr ""

--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -423,7 +423,21 @@ RSpec.describe Projects::NotesController do
      end
      context 'when creating a confidential note' do
-        let(:extra_request_params) { { format: :json } }
+        let(:project) { create(:project) }
+        let(:note_params) do
+          { note: note_text, noteable_id: issue.id, noteable_type: 'Issue' }.merge(extra_note_params)
+        end
+        let(:request_params) do
+          {
+            note: note_params,
+            namespace_id: project.namespace,
+            project_id: project,
+            target_type: 'issue',
+            target_id: issue.id,
+            format: :json
+          }
+        end
        context 'when `confidential` parameter is not provided' do
          it 'sets `confidential` to `false` in JSON response' do

--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -134,6 +134,74 @@ RSpec.describe Note do
          expect(existing_note.errors[:confidential]).to include('can not be changed for existing notes')
        end
      end
+      context 'for a new note' do
+        let_it_be(:noteable) { create(:issue) }
+        let(:note_params) { { confidential: true, noteable: noteable, project: noteable.project } }
+        subject { build(:note, **note_params) }
+        it 'allows to create a confidential note for an issue' do
+          expect(subject).to be_valid
+        end
+        context 'when noteable is not allowed to have confidential notes' do
+          let_it_be(:noteable) { create(:merge_request) }
+          it 'can not be set confidential' do
+            expect(subject).not_to be_valid
+            expect(subject.errors[:confidential]).to include('can not be set for this resource')
+          end
+        end
+        context 'when note type is not allowed to be confidential' do
+          let(:note_params) { { type: 'DiffNote', confidential: true, noteable: noteable, project: noteable.project } }
+          it 'can not be set confidential' do
+            expect(subject).not_to be_valid
+            expect(subject.errors[:confidential]).to include('can not be set for this type of note')
+          end
+        end
+        context 'when the note is a discussion note' do
+          let(:note_params) { { type: 'DiscussionNote', confidential: true, noteable: noteable, project: noteable.project } }
+          it { is_expected.to be_valid }
+        end
+        context 'when replying to a note' do
+          let(:note_params) { { confidential: true, noteable: noteable, project: noteable.project } }
+          subject { build(:discussion_note, discussion_id: original_note.discussion_id, **note_params) }
+          context 'when the note is reply to a confidential note' do
+            let_it_be(:original_note) { create(:note, confidential: true, noteable: noteable, project: noteable.project) }
+            it { is_expected.to be_valid }
+          end
+          context 'when the note is reply to a public note' do
+            let_it_be(:original_note) { create(:note, noteable: noteable, project: noteable.project) }
+            it 'can not be set confidential' do
+              expect(subject).not_to be_valid
+              expect(subject.errors[:confidential]).to include('reply should have same confidentiality as top-level note')
+            end
+          end
+          context 'when reply note is public but discussion is confidential' do
+            let_it_be(:original_note) { create(:note, confidential: true, noteable: noteable, project: noteable.project) }
+            let(:note_params) { { noteable: noteable, project: noteable.project } }
+            it 'can not be set confidential' do
+              expect(subject).not_to be_valid
+              expect(subject.errors[:confidential]).to include('reply should have same confidentiality as top-level note')
+            end
+          end
+        end
+      end
    end
  end
@@ -1199,8 +1267,8 @@ RSpec.describe Note do
  end
  describe "#discussion" do
-    let!(:note1) { create(:discussion_note_on_merge_request) }
+    let_it_be(:note1) { create(:discussion_note_on_merge_request) }
-    let!(:note2) { create(:diff_note_on_merge_request, project: note1.project, noteable: note1.noteable) }
+    let_it_be(:note2) { create(:diff_note_on_merge_request, project: note1.project, noteable: note1.noteable) }
    context 'when the note is part of a discussion' do
      subject { create(:discussion_note_on_merge_request, project: note1.project, noteable: note1.noteable, in_reply_to: note1) }

--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -359,39 +359,6 @@ RSpec.describe NotePolicy do
            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
          end
        end
-        context 'for merge requests' do
-          let(:merge_request) { create(:merge_request, source_project: project, author: author, assignees: [assignee]) }
-          let(:confidential_note) { create(:note, :confidential, project: project, noteable: merge_request) }
-          it_behaves_like 'confidential notes permissions'
-          it 'allows noteable assignees to read all notes' do
-            expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
-            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
-          end
-        end
-        context 'for project snippets' do
-          let(:project_snippet) { create(:project_snippet, project: project, author: author) }
-          let(:confidential_note) { create(:note, :confidential, project: project, noteable: project_snippet) }
-          it_behaves_like 'confidential notes permissions'
-        end
-        context 'for personal snippets' do
-          let(:personal_snippet) { create(:personal_snippet, author: author) }
-          let(:confidential_note) { create(:note, :confidential, project: nil, noteable: personal_snippet) }
-          it 'allows snippet author to read and resolve all notes' do
-            expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
-            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
-          end
-          it 'does not allow maintainers to read confidential notes and replies' do
-            expect(permissions(maintainer, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
-          end
-        end
      end
    end
  end

--- a/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
+++ b/spec/requests/api/graphql/mutations/notes/create/note_spec.rb
@@ -17,8 +17,7 @@ RSpec.describe 'Adding a Note' do
      noteable_id: GitlabSchema.id_from_object(noteable).to_s,
      discussion_id: (GitlabSchema.id_from_object(discussion).to_s if discussion),
      merge_request_diff_head_sha: head_sha.presence,
-      body: body,
+      body: body
-      confidential: true
    }
    graphql_mutation(:create_note, variables)
@@ -49,7 +48,6 @@ RSpec.describe 'Adding a Note' do
      post_graphql_mutation(mutation, current_user: current_user)
      expect(mutation_response['note']['body']).to eq('Body text')
-      expect(mutation_response['note']['confidential']).to eq(true)
    end
    describe 'creating Notes in reply to a discussion' do
@@ -79,6 +77,25 @@ RSpec.describe 'Adding a Note' do
      end
    end
+    context 'for an issue' do
+      let(:noteable) { create(:issue, project: project) }
+      let(:mutation) do
+        variables = {
+          noteable_id: GitlabSchema.id_from_object(noteable).to_s,
+          body: body,
+          confidential: true
+        }
+        graphql_mutation(:create_note, variables)
+      end
+      before do
+        project.add_developer(current_user)
+      end
+      it_behaves_like 'a Note mutation with confidential notes'
+    end
    context 'when body only contains quick actions' do
      let(:head_sha) { noteable.diff_head_sha }
      let(:body) { '/merge' }

--- a/spec/requests/api/issues/get_project_issues_spec.rb
+++ b/spec/requests/api/issues/get_project_issues_spec.rb
@@ -877,5 +877,35 @@ RSpec.describe API::Issues do
      expect(response).to have_gitlab_http_status(:not_found)
    end
+    context 'with a confidential note' do
+      let!(:note) do
+        create(
+          :note,
+          :confidential,
+          project: project,
+          noteable: issue,
+          author: create(:user)
+        )
+      end
+      it 'returns a full list of participants' do
+        get api("/projects/#{project.id}/issues/#{issue.iid}/participants", user)
+        expect(response).to have_gitlab_http_status(:ok)
+        participant_ids = json_response.map { |el| el['id'] }
+        expect(participant_ids).to match_array([issue.author_id, note.author_id])
+      end
+      context 'when user cannot see a confidential note' do
+        it 'returns a limited list of participants' do
+          get api("/projects/#{project.id}/issues/#{issue.iid}/participants", create(:user))
+          expect(response).to have_gitlab_http_status(:ok)
+          participant_ids = json_response.map { |el| el['id'] }
+          expect(participant_ids).to match_array([issue.author_id])
+        end
+      end
+    end
  end
 end
--- a/spec/requests/api/notes_spec.rb
+++ b/spec/requests/api/notes_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe API::Notes do
    let!(:issue) { create(:issue, project: project, author: user) }
    let!(:issue_note) { create(:note, noteable: issue, project: project, author: user) }
-    it_behaves_like "noteable API", 'projects', 'issues', 'iid' do
+    it_behaves_like "noteable API with confidential notes", 'projects', 'issues', 'iid' do
      let(:parent) { project }
      let(:noteable) { issue }
      let(:note) { issue_note }

--- a/spec/services/notes/create_service_spec.rb
+++ b/spec/services/notes/create_service_spec.rb
@@ -106,7 +106,8 @@ RSpec.describe Notes::CreateService do
                       type: 'DiffNote',
                       noteable_type: 'MergeRequest',
                       noteable_id: merge_request.id,
-                       position: position.to_h)
+                       position: position.to_h,
+                       confidential: false)
          end
          before do
@@ -141,7 +142,8 @@ RSpec.describe Notes::CreateService do
                         type: 'DiffNote',
                         noteable_type: 'MergeRequest',
                         noteable_id: merge_request.id,
-                         position: position.to_h)
+                         position: position.to_h,
+                         confidential: false)
            expect(merge_request).not_to receive(:diffs)
@@ -173,7 +175,8 @@ RSpec.describe Notes::CreateService do
                         type: 'DiffNote',
                         noteable_type: 'MergeRequest',
                         noteable_id: merge_request.id,
-                         position: position.to_h)
+                         position: position.to_h,
+                         confidential: false)
            end
            it 'note is associated with a note diff file' do
@@ -201,7 +204,8 @@ RSpec.describe Notes::CreateService do
                         type: 'DiffNote',
                         noteable_type: 'MergeRequest',
                         noteable_id: merge_request.id,
-                         position: position.to_h)
+                         position: position.to_h,
+                         confidential: false)
            end
            it 'note is not associated with a note diff file' do
@@ -230,7 +234,8 @@ RSpec.describe Notes::CreateService do
                           type: 'DiffNote',
                           noteable_type: 'MergeRequest',
                           noteable_id: merge_request.id,
-                           position: image_position.to_h)
+                           position: image_position.to_h,
+                           confidential: false)
              end
              it 'note is not associated with a note diff file' do
@@ -306,7 +311,7 @@ RSpec.describe Notes::CreateService do
          let_it_be(:merge_request) { create(:merge_request, source_project: project, labels: [bug_label]) }
          let(:issuable) { merge_request }
-          let(:note_params) { opts.merge(noteable_type: 'MergeRequest', noteable_id: merge_request.id) }
+          let(:note_params) { opts.merge(noteable_type: 'MergeRequest', noteable_id: merge_request.id, confidential: false) }
          let(:merge_request_quick_actions) do
            [
              QuickAction.new(

--- a/spec/support/shared_examples/graphql/notes_creation_shared_examples.rb
+++ b/spec/support/shared_examples/graphql/notes_creation_shared_examples.rb
@@ -85,3 +85,14 @@ RSpec.shared_examples 'a Note mutation when there are rate limit validation erro
    end
  end
 end
+RSpec.shared_examples 'a Note mutation with confidential notes' do
+  it_behaves_like 'a Note mutation that creates a Note'
+  it 'returns a Note with confidentiality enabled' do
+    post_graphql_mutation(mutation, current_user: current_user)
+    expect(mutation_response).to have_key('note')
+    expect(mutation_response['note']['confidential']).to eq(true)
+  end
+end
--- a/spec/support/shared_examples/requests/api/issuable_participants_examples.rb
+++ b/spec/support/shared_examples/requests/api/issuable_participants_examples.rb
@@ -28,34 +28,4 @@ RSpec.shared_examples 'issuable participants endpoint' do
    expect(response).to have_gitlab_http_status(:not_found)
  end
-  context 'with a confidential note' do
-    let!(:note) do
-      create(
-        :note,
-        :confidential,
-        project: project,
-        noteable: entity,
-        author: create(:user)
-      )
-    end
-    it 'returns a full list of participants' do
-      get api("/projects/#{project.id}/#{area}/#{entity.iid}/participants", user)
-      expect(response).to have_gitlab_http_status(:ok)
-      participant_ids = json_response.map { |el| el['id'] }
-      expect(participant_ids).to match_array([entity.author_id, note.author_id])
-    end
-    context 'when user cannot see a confidential note' do
-      it 'returns a limited list of participants' do
-        get api("/projects/#{project.id}/#{area}/#{entity.iid}/participants", create(:user))
-        expect(response).to have_gitlab_http_status(:ok)
-        participant_ids = json_response.map { |el| el['id'] }
-        expect(participant_ids).to match_array([entity.author_id])
-      end
-    end
-  end
 end
--- a/spec/support/shared_examples/requests/api/notes_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/notes_shared_examples.rb
@@ -142,15 +142,6 @@ RSpec.shared_examples 'noteable API' do |parent_type, noteable_type, id_name|
      expect(json_response['author']['username']).to eq(user.username)
    end
-    it "creates a confidential note if confidential is set to true" do
-      post api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes", user), params: { body: 'hi!', confidential: true }
-      expect(response).to have_gitlab_http_status(:created)
-      expect(json_response['body']).to eq('hi!')
-      expect(json_response['confidential']).to be_truthy
-      expect(json_response['author']['username']).to eq(user.username)
-    end
    it "returns a 400 bad request error if body not given" do
      post api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes", user)
@@ -312,26 +303,22 @@ RSpec.shared_examples 'noteable API' do |parent_type, noteable_type, id_name|
      put api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes/#{note.id}", user), params: params
    end
-    context 'when eveything is ok' do
+    context 'when only body param is present' do
-      before do
+      let(:params) { { body: 'Hello!' } }
+      it 'updates the note text' do
        subject
-      end
-      it 'returns modified note' do
+        expect(note.reload.note).to eq('Hello!')
        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['body']).to eq('Hello!')
      end
-      it 'updates the note' do
-        expect(note.reload.note).to eq('Hello!')
-        expect(note.confidential).to be_falsey
-      end
    end
-    context 'when also confidential param is set' do
+    context 'when confidential param is present' do
-      let(:params) { { body: 'Hello!', confidential: true } }
+      let(:params) { { confidential: true } }
-      it 'fails to update the note' do
+      it 'does not allow to change confidentiality' do
        expect { subject }.not_to change { note.reload.note }
        expect(response).to have_gitlab_http_status(:bad_request)
@@ -376,3 +363,24 @@ RSpec.shared_examples 'noteable API' do |parent_type, noteable_type, id_name|
    end
  end
 end
+RSpec.shared_examples 'noteable API with confidential notes' do |parent_type, noteable_type, id_name|
+  it_behaves_like 'noteable API', parent_type, noteable_type, id_name
+  describe "POST /#{parent_type}/:id/#{noteable_type}/:noteable_id/notes" do
+    let(:params) { { body: 'hi!' } }
+    subject do
+      post api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes", user), params: params
+    end
+    it "creates a confidential note if confidential is set to true" do
+      post api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes", user), params: params.merge(confidential: true)
+      expect(response).to have_gitlab_http_status(:created)
+      expect(json_response['body']).to eq('hi!')
+      expect(json_response['confidential']).to be_truthy
+      expect(json_response['author']['username']).to eq(user.username)
+    end
+  end
+end