Restrict branches visible to guests in Issue feed

Notes related to branch creation should not be shown in an issue's activity feed when the user doesn't have access to :download_code.
author: Kerri Miller <kerrizor@kerrizor.com> 2019-10-25 15:46:40 +0300
committer: Kerri Miller <kerrizor@kerrizor.com> 2019-11-20 18:09:49 +0300
commit: 6324a099746475910dec56500e0f834a79f181da (patch)
tree: 76a9875cfaffddaeea5cf1985f95b32cb6dcaab4 /app
parent: 23e599fb25c4218bbe6a78670a9d5f43a912ffad (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/app/models/note.rb b/app/models/note.rb
index ce60413b8a0..493132e30cc 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -37,6 +37,10 @@ class Note < ApplicationRecord
 
   redact_field :note
 
+  TYPES_RESTRICTED_BY_ABILITY = {
+    branch: :download_code
+  }.freeze
+
   # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes.
   # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102
   alias_attribute :last_edited_at, :updated_at
@@ -341,7 +345,7 @@ class Note < ApplicationRecord
   end
 
   def visible_for?(user)
-    !cross_reference_not_visible_for?(user)
+    !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
   end
 
   def award_emoji?
@@ -493,6 +497,15 @@ class Note < ApplicationRecord
 
   private
 
+  def system_note_viewable_by?(user)
+    return true unless system_note_metadata
+
+    restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym]
+    return Ability.allowed?(user, restriction, project) if restriction
+
+    true
+  end
+
   def keep_around_commit
     project.repository.keep_around(self.commit_id)
   end
author	Kerri Miller <kerrizor@kerrizor.com>	2019-10-25 15:46:40 +0300
committer	Kerri Miller <kerrizor@kerrizor.com>	2019-11-20 18:09:49 +0300
commit	6324a099746475910dec56500e0f834a79f181da (patch)
tree	76a9875cfaffddaeea5cf1985f95b32cb6dcaab4 /app
parent	23e599fb25c4218bbe6a78670a9d5f43a912ffad (diff)