Fix removing todos for confidential issues

- dont remove todos for authos & assignees
- remove todos for project guests

2 files changed, 13 insertions, 0 deletions

diff --git a/app/services/todos/destroy/confidential_issue_service.rb b/app/services/todos/destroy/confidential_issue_service.rb
index 06cf308a3cd..c5b66df057a 100644
--- a/app/services/todos/destroy/confidential_issue_service.rb
+++ b/app/services/todos/destroy/confidential_issue_service.rb
@@ -14,6 +14,8 @@ module Todos
       override :todos
       def todos
         Todo.where(target: issue)
+          .where('user_id != ?', issue.author_id)
+          .where('user_id NOT IN (?)', issue.assignees.select(:id))
       end
 
       override :todos_to_remove?
@@ -25,6 +27,13 @@ module Todos
       def project_ids
         issue.project_id
       end
+
+      override :authorized_users
+      def authorized_users
+        ProjectAuthorization.select(:user_id)
+          .where(project_id: project_ids)
+          .where('access_level >= ?', Gitlab::Access::REPORTER)
+      end
     end
   end
 end
diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb
index 328a8b39e7b..129e5505a21 100644
--- a/app/services/todos/destroy/entity_leave_service.rb
+++ b/app/services/todos/destroy/entity_leave_service.rb
@@ -42,7 +42,11 @@ module Todos
       end
 
       def confidential_issues
+        assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user_id)
+
         Issue.where(project_id: project_ids, confidential: true)
+          .where('author_id != ?', user_id)
+          .where('id NOT IN (?)', assigned_ids)
       end
     end
   end