Reset feature branch

Reset hard master and create banned user table

Add ban service spec

Add specs for banned user and ban service

Add unban service file

BannedUser object gets created and destroyed

Add unban service specs

Add specs for unban user

Run rake translate

Add aggregate failures

Update state machine transition

Update ban and unban specs

Remove enable admin mode

Remove unneeded method

Remove unneeded method

Add specs for ban and unban

DRY ban and unban service

Consolidate ban and unban user service
into one file

DRY spec shared example

Create Users BaseService

Need to fix specs

Fix Base Service

Update specs

Use error instead of service error

Change service error to permission error

Rename Users BaseService

DRY ban and unban service

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Remove bad rebase changes

Some files got left over, remove them

Remove bad rebase changes

Some files got left over, remove them

Run rails migration

Remove issue hidden attribute

Also update ban copy

Add issue specs

Add specs for issue model

Use single quotes

Add hidden issue to user moderation doc

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Remove bad rebase changes

Some files got left over, remove them

Remove bad rebase changes

Some files got left over, remove them

Run rails migration

Remove issue hidden attribute

Also update ban copy

Add issue specs

Add specs for issue model

Use single quotes

Add hidden issue to user moderation doc

Use safe operator

Alias author banned to hidden

Fix failing specs

Reset feature branch

Reset hard master and create banned user table

Add ban service spec

Add specs for banned user and ban service

Add unban service file

BannedUser object gets created and destroyed

Add unban service specs

Add specs for unban user

Run rake translate

Add aggregate failures

Update state machine transition

Update ban and unban specs

Remove enable admin mode

Remove unneeded method

Remove unneeded method

Add specs for ban and unban

DRY ban and unban service

Consolidate ban and unban user service
into one file

DRY spec shared example

Create Users BaseService

Need to fix specs

Fix Base Service

Update specs

Use error instead of service error

Change service error to permission error

Rename Users BaseService

DRY ban and unban service

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Remove bad rebase changes

Some files got left over, remove them

Remove bad rebase changes

Some files got left over, remove them

Run rails migration

Remove issue hidden attribute

Also update ban copy

Add issue specs

Add specs for issue model

Use single quotes

Add hidden issue to user moderation doc

Run rubocop linter

Run bin rake translate

Ban and unban user service

Move execute to base service

Run rubocop linter

Rename user ban spec

Run translation script

Use action method instead of override initialize

Move some conceptual material to main page and other minor improvements

Add hidden column to issues table

Does not allow non admin user
to read the issue

Rebase db structure with master

Add hidden only issues scope

Exclude hidden issues from issues finder

If user is non admin, do not show hidden issues

Add issues finder specs

Update issue scopes

Also fix specs

Add ampersand to issue policy

Revert unwanted rebase changes

Add migration files

Migration files got overwritten by rebase

Remove bad rebase changes

Some files got left over, remove them

Remove bad rebase changes

Some files got left over, remove them

Run rails migration

Remove issue hidden attribute

Also update ban copy

Add issue specs

Add specs for issue model

Use single quotes

Add hidden issue to user moderation doc

Fix failing specs

New way of fixing pipeline failures

Change query limit

Update issue spec

Address MR review comments

Apply MR review suggestions

Add specs, fix docs

FF check for banned users

Run rake translate

Add spec to issues spec

Apply maintainer suggestions

app/assets/javascripts/admin/users/components/actions/ban.vue

@@ -6,10 +6,11 @@ import { I18N_USER_ACTIONS } from '../../constants';
 
 // TODO: To be replaced with <template> content in https://gitlab.com/gitlab-org/gitlab/-/issues/320922
 const messageHtml = `
-  <p>${s__('AdminUsers|When banned, users:')}</p>
+  <p>${s__('AdminUsers|When banned:')}</p>
   <ul>
-    <li>${s__("AdminUsers|Can't log in.")}</li>
-    <li>${s__("AdminUsers|Can't access Git repositories.")}</li>
+    <li>${s__("AdminUsers|The user can't log in.")}</li>
+    <li>${s__("AdminUsers|The user can't access git repositories.")}</li>
+    <li>${s__('AdminUsers|Issues authored by this user are hidden from other users.')}</li>
   </ul>
   <p>${s__('AdminUsers|You can unban their account in the future. Their data remains intact.')}</p>
   <p>${sprintf(

app/finders/issues_finder.rb

@@ -47,17 +47,22 @@ class IssuesFinder < IssuableFinder
 
   # rubocop: disable CodeReuse/ActiveRecord
   def with_confidentiality_access_check
-    return Issue.all if params.user_can_see_all_confidential_issues?
+    return Issue.all if params.user_can_see_all_issues?
+
+    # Only admins can see hidden issues, so for non-admins, we filter out any hidden issues
+    issues = Issue.without_hidden
+
+    return issues.all if params.user_can_see_all_confidential_issues?
 
     # If already filtering by assignee we can skip confidentiality since a user
     # can always see confidential issues assigned to them. This is just an
     # optimization since a very common usecase of this Finder is to load the
     # count of issues assigned to the user for the header bar.
-    return Issue.all if current_user && assignee_filter.includes_user?(current_user)
+    return issues.all if current_user && assignee_filter.includes_user?(current_user)
 
-    return Issue.where('issues.confidential IS NOT TRUE') if params.user_cannot_see_confidential_issues?
+    return issues.where('issues.confidential IS NOT TRUE') if params.user_cannot_see_confidential_issues?
 
-    Issue.where('
+    issues.where('
       issues.confidential IS NOT TRUE
       OR (issues.confidential = TRUE
         AND (issues.author_id = :user_id

app/finders/issues_finder/params.rb

@@ -32,7 +32,7 @@ class IssuesFinder
         if parent
           Ability.allowed?(current_user, :read_confidential_issues, parent)
         else
-          Ability.allowed?(current_user, :read_all_resources)
+          user_can_see_all_issues?
         end
       end
     end
@@ -42,6 +42,12 @@ class IssuesFinder
 
       current_user.blank?
     end
+
+    def user_can_see_all_issues?
+      strong_memoize(:user_can_see_all_issues) do
+        Ability.allowed?(current_user, :read_all_resources)
+      end
+    end
   end
 end
 

app/graphql/resolvers/issues_resolver.rb

@@ -37,7 +37,8 @@ module Resolvers
       [
         {
           project: [:project_feature]
-        }
+        },
+        :author
       ]
     end
 

app/helpers/issues_helper.rb

@@ -52,6 +52,10 @@ module IssuesHelper
     sprite_icon('eye-slash', css_class: 'gl-vertical-align-text-bottom') if issue.confidential?
   end
 
+  def hidden_issue_icon(issue)
+    sprite_icon('spam', css_class: 'gl-vertical-align-text-bottom') if issue.hidden?
+  end
+
   def award_user_list(awards, current_user, limit: 10)
     names = awards.map do |award|
       award.user == current_user ? 'You' : award.user.name

app/models/issue.rb

@@ -135,6 +135,15 @@ class Issue < ApplicationRecord
   scope :public_only, -> { where(confidential: false) }
   scope :confidential_only, -> { where(confidential: true) }
 
+  scope :without_hidden, -> {
+    if Feature.enabled?(:ban_user_feature_flag)
+      where(id: joins('LEFT JOIN banned_users ON banned_users.user_id = issues.author_id WHERE banned_users.user_id IS NULL')
+      .select('issues.id'))
+    else
+      all
+    end
+  }
+
   scope :counts_by_state, -> { reorder(nil).group(:state_id).count }
 
   scope :service_desk, -> { where(author: ::User.support_bot) }
@@ -556,6 +565,8 @@ class Issue < ApplicationRecord
       true
     elsif confidential? && !assignee_or_author?(user)
       project.team.member?(user, Gitlab::Access::REPORTER)
+    elsif hidden?
+      false
     else
       project.public? ||
         project.internal? && !user.external? ||
@@ -563,6 +574,10 @@ class Issue < ApplicationRecord
     end
   end
 
+  def hidden?
+    author&.banned?
+  end
+
   private
 
   def spammable_attribute_changed?
@@ -590,7 +605,7 @@ class Issue < ApplicationRecord
 
   # Returns `true` if this Issue is visible to everybody.
   def publicly_visible?
-    project.public? && !confidential? && !::Gitlab::ExternalAuthorization.enabled?
+    project.public? && !confidential? && !hidden? && !::Gitlab::ExternalAuthorization.enabled?
   end
 
   def expire_etag_cache

app/policies/issue_policy.rb

@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  desc "Issue is hidden"
+  condition(:hidden, scope: :subject) { @subject.hidden? }
+
   desc "Issue is persisted"
   condition(:persisted, scope: :subject) { @subject.persisted? }
 
@@ -23,6 +26,10 @@ class IssuePolicy < IssuablePolicy
     prevent :read_issue_iid
   end
 
+  rule { hidden & ~admin }.policy do
+    prevent :read_issue
+  end
+
   rule { ~can?(:read_issue) }.prevent :create_note
 
   rule { locked }.policy do

app/views/projects/issues/_issue.html.haml

@@ -12,6 +12,9 @@
           - if issue.confidential?
             %span.has-tooltip{ title: _('Confidential') }
               = confidential_icon(issue)
+          - if Feature.enabled?(:ban_user_feature_flag) && issue.hidden?
+            %span.has-tooltip{ title: _('This issue is hidden because its author has been banned') }
+              = hidden_issue_icon(issue)
           = link_to issue.title, issue_path(issue)
         = render_if_exists 'projects/issues/subepic_flag', issue: issue
         - if issue.tasks?

doc/user/admin_area/moderate_users.md

@@ -195,12 +195,12 @@ Users can also be activated using the [GitLab API](../../api/users.md#activate-u
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327353) in GitLab 14.2.
 
-GitLab administrators can ban and unban users. The banned user's issues are still displayed. Hiding
-a banned user's issues is a [work in progress](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66687).
+GitLab administrators can ban and unban users. Banned users are blocked, and their issues are hidden. 
+The banned user's comments are still displayed. Hiding a banned user's comments is [tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/327356).
 
 ### Ban a user
 
-To completely block a user, administrators can choose to ban the user.
+To block a user and hide their contributions, administrators can ban the user.
 
 Users can be banned using the Admin Area. To do this:
 

ee/spec/finders/issues_finder_spec.rb

@@ -237,9 +237,11 @@ RSpec.describe IssuesFinder do
     let_it_be(:guest) { create(:user) }
 
     let_it_be(:authorized_user) { create(:user) }
+    let_it_be(:banned_user) { create(:user, :banned) }
     let_it_be(:project) { create(:project, namespace: authorized_user.namespace) }
     let_it_be(:public_issue) { create(:issue, project: project) }
     let_it_be(:confidential_issue) { create(:issue, project: project, confidential: true) }
+    let_it_be(:hidden_issue) { create(:issue, project: project, author: banned_user) }
 
     context 'when no project filter is given' do
       let(:params) { {} }
@@ -250,7 +252,7 @@ RSpec.describe IssuesFinder do
         subject { described_class.new(auditor_user, params).with_confidentiality_access_check }
 
         it 'returns all issues' do
-          expect(subject).to include(public_issue, confidential_issue)
+          expect(subject).to include(public_issue, confidential_issue, hidden_issue)
         end
       end
     end
@@ -264,7 +266,7 @@ RSpec.describe IssuesFinder do
         subject { described_class.new(auditor_user, params).with_confidentiality_access_check }
 
         it 'returns all issues' do
-          expect(subject).to include(public_issue, confidential_issue)
+          expect(subject).to include(public_issue, confidential_issue, hidden_issue)
         end
       end
     end

locale/gitlab.pot

@@ -2563,12 +2563,6 @@ msgstr ""
 msgid "AdminUsers|Blocking user has the following effects:"
 msgstr ""
 
-msgid "AdminUsers|Can't access Git repositories."
-msgstr ""
-
-msgid "AdminUsers|Can't log in."
-msgstr ""
-
 msgid "AdminUsers|Cannot sign in or access instance information"
 msgstr ""
 
@@ -2635,6 +2629,9 @@ msgstr ""
 msgid "AdminUsers|Is using seat"
 msgstr ""
 
+msgid "AdminUsers|Issues authored by this user are hidden from other users."
+msgstr ""
+
 msgid "AdminUsers|It's you!"
 msgstr ""
 
@@ -2698,6 +2695,12 @@ msgstr ""
 msgid "AdminUsers|Sort by"
 msgstr ""
 
+msgid "AdminUsers|The user can't access git repositories."
+msgstr ""
+
+msgid "AdminUsers|The user can't log in."
+msgstr ""
+
 msgid "AdminUsers|The user will be logged out"
 msgstr ""
 
@@ -2764,7 +2767,7 @@ msgstr ""
 msgid "AdminUsers|What does this mean?"
 msgstr ""
 
-msgid "AdminUsers|When banned, users:"
+msgid "AdminUsers|When banned:"
 msgstr ""
 
 msgid "AdminUsers|When the user logs back in, their account will reactivate as a fully active account"
@@ -33913,6 +33916,9 @@ msgstr ""
 msgid "This issue is currently blocked by the following issues:"
 msgstr ""
 
+msgid "This issue is hidden because its author has been banned"
+msgstr ""
+
 msgid "This issue is in a child epic of the filtered epic"
 msgstr ""
 

spec/finders/issues_finder_spec.rb

@@ -789,7 +789,7 @@ RSpec.describe IssuesFinder do
         context 'user filters confidential issues' do
           let(:params) { { confidential: true } }
 
-          it 'returns only confdential issues' do
+          it 'returns only confidential issues' do
             expect(issues).to contain_exactly(confidential_issue)
           end
         end
@@ -797,7 +797,7 @@ RSpec.describe IssuesFinder do
         context 'user filters only public issues' do
           let(:params) { { confidential: false } }
 
-          it 'returns only confdential issues' do
+          it 'returns only public issues' do
             expect(issues).to contain_exactly(issue1, issue2, issue3, issue4, issue5)
           end
         end
@@ -1004,9 +1004,38 @@ RSpec.describe IssuesFinder do
     let(:guest) { create(:user) }
 
     let_it_be(:authorized_user) { create(:user) }
+    let_it_be(:banned_user) { create(:user, :banned) }
     let_it_be(:project) { create(:project, namespace: authorized_user.namespace) }
     let_it_be(:public_issue) { create(:issue, project: project) }
     let_it_be(:confidential_issue) { create(:issue, project: project, confidential: true) }
+    let_it_be(:hidden_issue) { create(:issue, project: project, author: banned_user) }
+
+    shared_examples 'returns public, does not return hidden or confidential' do
+      it 'returns only public issues' do
+        expect(subject).to include(public_issue)
+        expect(subject).not_to include(confidential_issue, hidden_issue)
+      end
+    end
+
+    shared_examples 'returns public and confidential, does not return hidden' do
+      it 'returns only public and confidential issues' do
+        expect(subject).to include(public_issue, confidential_issue)
+        expect(subject).not_to include(hidden_issue)
+      end
+    end
+
+    shared_examples 'returns public and hidden, does not return confidential' do
+      it 'returns only public and hidden issues' do
+        expect(subject).to include(public_issue, hidden_issue)
+        expect(subject).not_to include(confidential_issue)
+      end
+    end
+
+    shared_examples 'returns public, confidential, and hidden' do
+      it 'returns all issues' do
+        expect(subject).to include(public_issue, confidential_issue, hidden_issue)
+      end
+    end
 
     context 'when no project filter is given' do
       let(:params) { {} }
@@ -1014,18 +1043,28 @@ RSpec.describe IssuesFinder do
       context 'for an anonymous user' do
         subject { described_class.new(nil, params).with_confidentiality_access_check }
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
       end
 
       context 'for a user without project membership' do
         subject { described_class.new(user, params).with_confidentiality_access_check }
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
       end
 
@@ -1036,17 +1075,28 @@ RSpec.describe IssuesFinder do
           project.add_guest(guest)
         end
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
       end
 
       context 'for a project member with access to view confidential issues' do
         subject { described_class.new(authorized_user, params).with_confidentiality_access_check }
 
-        it 'returns all issues' do
-          expect(subject).to include(public_issue, confidential_issue)
+        it_behaves_like 'returns public and confidential, does not return hidden'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public, confidential, and hidden'
         end
       end
 
@@ -1056,15 +1106,26 @@ RSpec.describe IssuesFinder do
         subject { described_class.new(admin_user, params).with_confidentiality_access_check }
 
         context 'when admin mode is enabled', :enable_admin_mode do
-          it 'returns all issues' do
-            expect(subject).to include(public_issue, confidential_issue)
+          it_behaves_like 'returns public, confidential, and hidden'
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(ban_user_feature_flag: false)
+            end
+
+            it_behaves_like 'returns public, confidential, and hidden'
           end
         end
 
         context 'when admin mode is disabled' do
-          it 'returns only public issues' do
-            expect(subject).to include(public_issue)
-            expect(subject).not_to include(confidential_issue)
+          it_behaves_like 'returns public, does not return hidden or confidential'
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(ban_user_feature_flag: false)
+            end
+
+            it_behaves_like 'returns public and hidden, does not return confidential'
           end
         end
       end
@@ -1076,14 +1137,18 @@ RSpec.describe IssuesFinder do
       context 'for an anonymous user' do
         subject { described_class.new(nil, params).with_confidentiality_access_check }
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
 
         it 'does not filter by confidentiality' do
           expect(Issue).not_to receive(:where).with(a_string_matching('confidential'), anything)
-
           subject
         end
       end
@@ -1091,9 +1156,14 @@ RSpec.describe IssuesFinder do
       context 'for a user without project membership' do
         subject { described_class.new(user, params).with_confidentiality_access_check }
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
 
         it 'filters by confidentiality' do
@@ -1108,9 +1178,14 @@ RSpec.describe IssuesFinder do
           project.add_guest(guest)
         end
 
-        it 'returns only public issues' do
-          expect(subject).to include(public_issue)
-          expect(subject).not_to include(confidential_issue)
+        it_behaves_like 'returns public, does not return hidden or confidential'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public and hidden, does not return confidential'
         end
 
         it 'filters by confidentiality' do
@@ -1121,8 +1196,14 @@ RSpec.describe IssuesFinder do
       context 'for a project member with access to view confidential issues' do
         subject { described_class.new(authorized_user, params).with_confidentiality_access_check }
 
-        it 'returns all issues' do
-          expect(subject).to include(public_issue, confidential_issue)
+        it_behaves_like 'returns public and confidential, does not return hidden'
+
+        context 'when feature flag is disabled' do
+          before do
+            stub_feature_flags(ban_user_feature_flag: false)
+          end
+
+          it_behaves_like 'returns public, confidential, and hidden'
         end
 
         it 'does not filter by confidentiality' do
@@ -1138,8 +1219,14 @@ RSpec.describe IssuesFinder do
         subject { described_class.new(admin_user, params).with_confidentiality_access_check }
 
         context 'when admin mode is enabled', :enable_admin_mode do
-          it 'returns all issues' do
-            expect(subject).to include(public_issue, confidential_issue)
+          it_behaves_like 'returns public, confidential, and hidden'
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(ban_user_feature_flag: false)
+            end
+
+            it_behaves_like 'returns public, confidential, and hidden'
           end
 
           it 'does not filter by confidentiality' do
@@ -1150,9 +1237,14 @@ RSpec.describe IssuesFinder do
         end
 
         context 'when admin mode is disabled' do
-          it 'returns only public issues' do
-            expect(subject).to include(public_issue)
-            expect(subject).not_to include(confidential_issue)
+          it_behaves_like 'returns public, does not return hidden or confidential'
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(ban_user_feature_flag: false)
+            end
+
+            it_behaves_like 'returns public and hidden, does not return confidential'
           end
 
           it 'filters by confidentiality' do

spec/graphql/mutations/design_management/delete_spec.rb

@@ -86,9 +86,9 @@ RSpec.describe Mutations::DesignManagement::Delete do
           end
         end
 
-        it 'runs no more than 28 queries' do
+        it 'runs no more than 29 queries' do
           filenames.each(&:present?) # ignore setup
-          # Queries: as of 2019-08-28
+          # Queries: as of 2021-07-22
           # -------------
           # 01. routing query
           # 02. find project by id
@@ -100,25 +100,26 @@ RSpec.describe Mutations::DesignManagement::Delete do
           # 09. find namespace by id
           # 10. find group namespace by id
           # 11. project.authorizations for user (same query as 5)
-          # 12. project.project_features (same query as 3)
-          # 13. project.authorizations for user (same query as 5)
-          # 14. current designs by filename and issue
-          # 15, 16 project.authorizations for user (same query as 5)
-          # 17. find route by id and source_type
+          # 12. find user by id
+          # 13. project.project_features (same query as 3)
+          # 14. project.authorizations for user (same query as 5)
+          # 15. current designs by filename and issue
+          # 16, 17 project.authorizations for user (same query as 5)
+          # 18. find route by id and source_type
           # ------------- our queries are below:
-          # 18. start transaction 1
-          # 19.   start transaction 2
-          # 20.     find version by sha and issue
-          # 21.     exists version with sha and issue?
-          # 22.   leave transaction 2
-          # 23.   create version with sha and issue
-          # 24.   create design-version links
-          # 25.   validate version.actions.present?
-          # 26.   validate version.issue.present?
-          # 27.   validate version.sha is unique
-          # 28. leave transaction 1
+          # 19. start transaction 1
+          # 20.   start transaction 2
+          # 21.     find version by sha and issue
+          # 22.     exists version with sha and issue?
+          # 23.   leave transaction 2
+          # 24.   create version with sha and issue
+          # 25.   create design-version links
+          # 26.   validate version.actions.present?
+          # 27.   validate version.issue.present?
+          # 28.   validate version.sha is unique
+          # 29. leave transaction 1
           #
-          expect { run_mutation }.not_to exceed_query_limit(28)
+          expect { run_mutation }.not_to exceed_query_limit(29)
         end
       end
 

spec/graphql/resolvers/issues_resolver_spec.rb

@@ -393,13 +393,13 @@ RSpec.describe Resolvers::IssuesResolver do
       end
 
       it 'finds a specific issue with iid', :request_store do
-        result = batch_sync(max_queries: 4) { resolve_issues(iid: issue1.iid).to_a }
+        result = batch_sync(max_queries: 5) { resolve_issues(iid: issue1.iid).to_a }
 
         expect(result).to contain_exactly(issue1)
       end
 
       it 'batches queries that only include IIDs', :request_store do
-        result = batch_sync(max_queries: 4) do
+        result = batch_sync(max_queries: 5) do
           [issue1, issue2]
             .map { |issue| resolve_issues(iid: issue.iid.to_s) }
             .flat_map(&:to_a)
@@ -409,7 +409,7 @@ RSpec.describe Resolvers::IssuesResolver do
       end
 
       it 'finds a specific issue with iids', :request_store do
-        result = batch_sync(max_queries: 4) do
+        result = batch_sync(max_queries: 5) do
           resolve_issues(iids: [issue1.iid]).to_a
         end
 

spec/models/issue_spec.rb

@@ -796,17 +796,47 @@ RSpec.describe Issue do
         end
       end
 
+      shared_examples 'hidden issue readable by user' do
+        before do
+          issue.author.ban!
+        end
+
+        specify do
+          is_expected.to eq(true)
+        end
+
+        after do
+          issue.author.activate!
+        end
+      end
+
+      shared_examples 'hidden issue not readable by user' do
+        before do
+          issue.author.ban!
+        end
+
+        specify do
+          is_expected.to eq(false)
+        end
+
+        after do
+          issue.author.activate!
+        end
+      end
+
       context 'with an admin user' do
         let(:user) { build(:admin) }
 
         context 'when admin mode is enabled', :enable_admin_mode do
           it_behaves_like 'issue readable by user'
           it_behaves_like 'confidential issue readable by user'
+          it_behaves_like 'hidden issue readable by user'
         end
 
         context 'when admin mode is disabled' do
           it_behaves_like 'issue not readable by user'
           it_behaves_like 'confidential issue not readable by user'
+          it_behaves_like 'hidden issue not readable by user'
         end
       end
 
@@ -817,6 +847,7 @@ RSpec.describe Issue do
 
         it_behaves_like 'issue readable by user'
         it_behaves_like 'confidential issue readable by user'
+        it_behaves_like 'hidden issue not readable by user'
       end
 
       context 'with a reporter user' do
@@ -826,6 +857,7 @@ RSpec.describe Issue do
 
         it_behaves_like 'issue readable by user'
         it_behaves_like 'confidential issue readable by user'
+        it_behaves_like 'hidden issue not readable by user'
       end
 
       context 'with a guest user' do
@@ -835,6 +867,7 @@ RSpec.describe Issue do
 
         it_behaves_like 'issue readable by user'
         it_behaves_like 'confidential issue not readable by user'
+        it_behaves_like 'hidden issue not readable by user'
 
         context 'when user is an assignee' do
           before do
@@ -843,6 +876,7 @@ RSpec.describe Issue do
 
           it_behaves_like 'issue readable by user'
           it_behaves_like 'confidential issue readable by user'
+          it_behaves_like 'hidden issue not readable by user'
         end
 
         context 'when user is the author' do
@@ -852,6 +886,7 @@ RSpec.describe Issue do
 
           it_behaves_like 'issue readable by user'
           it_behaves_like 'confidential issue readable by user'
+          it_behaves_like 'hidden issue not readable by user'
         end
       end
 
@@ -861,6 +896,7 @@ RSpec.describe Issue do
 
           it_behaves_like 'issue readable by user'
           it_behaves_like 'confidential issue not readable by user'
+          it_behaves_like 'hidden issue not readable by user'
         end
 
         context 'using an internal project' do
@@ -873,6 +909,7 @@ RSpec.describe Issue do
 
             it_behaves_like 'issue readable by user'
             it_behaves_like 'confidential issue not readable by user'
+            it_behaves_like 'hidden issue not readable by user'
           end
 
           context 'using an external user' do
@@ -882,6 +919,7 @@ RSpec.describe Issue do
 
             it_behaves_like 'issue not readable by user'
             it_behaves_like 'confidential issue not readable by user'
+            it_behaves_like 'hidden issue not readable by user'
           end
         end
 
@@ -892,6 +930,7 @@ RSpec.describe Issue do
 
           it_behaves_like 'issue not readable by user'
           it_behaves_like 'confidential issue not readable by user'
+          it_behaves_like 'hidden issue not readable by user'
         end
       end
 
@@ -1160,6 +1199,26 @@ RSpec.describe Issue do
     end
   end
 
+  describe '.without_hidden' do
+    let_it_be(:banned_user) { create(:user, :banned) }
+    let_it_be(:public_issue) { create(:issue, project: reusable_project) }
+    let_it_be(:hidden_issue) { create(:issue, project: reusable_project, author: banned_user) }
+
+    it 'only returns without_hidden issues' do
+      expect(described_class.without_hidden).to eq([public_issue])
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(ban_user_feature_flag: false)
+      end
+
+      it 'returns public and hidden issues' do
+        expect(described_class.without_hidden).to eq([public_issue, hidden_issue])
+      end
+    end
+  end
+
   describe '.by_project_id_and_iid' do
     let_it_be(:issue_a) { create(:issue, project: reusable_project) }
     let_it_be(:issue_b) { create(:issue, iid: issue_a.iid) }

spec/policies/issue_policy_spec.rb

@@ -360,6 +360,21 @@ RSpec.describe IssuePolicy do
         expect(permissions(assignee, confidential_issue_no_assignee)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata)
       end
     end
+
+    context 'with a hidden issue' do
+      let(:user) { create(:user) }
+      let(:banned_user) { create(:user, :banned) }
+      let(:admin) { create(:user, :admin)}
+      let(:hidden_issue) { create(:issue, project: project, author: banned_user) }
+
+      it 'does not allow non-admin user to read the issue' do
+        expect(permissions(user, hidden_issue)).not_to be_allowed(:read_issue)
+      end
+
+      it 'allows admin to read the issue', :enable_admin_mode do
+        expect(permissions(admin, hidden_issue)).to be_allowed(:read_issue)
+      end
+    end
   end
 
   context 'with external authorization enabled' do