Add latest changes from gitlab-org/gitlab@master

3 files changed, 7 insertions, 3 deletions

diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index aa07bb7dc5f..779384ee3fe 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -16,6 +16,9 @@ class IssuablePolicy < BasePolicy
 
   condition(:is_incident) { @subject.incident? }
 
+  desc "Issuable is hidden"
+  condition(:hidden, scope: :subject) { @subject.hidden? }
+
   rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do
     enable :read_issue
     enable :update_issue
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 491eebe9daf..7d4e42580b8 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -21,9 +21,6 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
-  desc "Issue is hidden"
-  condition(:hidden, scope: :subject) { @subject.hidden? }
-
   desc "Issue is persisted"
   condition(:persisted, scope: :subject) { @subject.persisted? }
 
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index 32128d84d0b..8da2af506c7 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -27,6 +27,10 @@ class MergeRequestPolicy < IssuablePolicy
     enable :update_subscription
   end
 
+  rule { hidden & ~admin }.policy do
+    prevent :read_merge_request
+  end
+
   condition(:can_merge) { @subject.can_be_merged_by?(@user) }
 
   rule { can_merge }.policy do