Add latest changes from gitlab-org/gitlab@master

10 files changed, 22 insertions, 16 deletions

diff --git a/app/controllers/concerns/issuable_actions.rb b/app/controllers/concerns/issuable_actions.rb
index c4abaacd573..ca43bf42580 100644
--- a/app/controllers/concerns/issuable_actions.rb
+++ b/app/controllers/concerns/issuable_actions.rb
@@ -137,7 +137,7 @@ module IssuableActions
     end
 
     notes = prepare_notes_for_rendering(notes)
-    notes = notes.select { |n| n.visible_for?(current_user) }
+    notes = notes.select { |n| n.readable_by?(current_user) }
 
     discussions = Discussion.build_collection(notes, issuable)
 
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb
index 3d599d9e7f9..7dd2f6e5706 100644
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -29,7 +29,7 @@ module NotesActions
     end
 
     notes = prepare_notes_for_rendering(notes)
-    notes = notes.select { |n| n.visible_for?(current_user) }
+    notes = notes.select { |n| n.readable_by?(current_user) }
 
     notes_json[:notes] =
       if use_note_serializer?
diff --git a/app/models/ci/job_artifact.rb b/app/models/ci/job_artifact.rb
index b66bc78094f..8defe742ec4 100644
--- a/app/models/ci/job_artifact.rb
+++ b/app/models/ci/job_artifact.rb
@@ -74,7 +74,7 @@ module Ci
 
     scope :with_files_stored_locally, -> { where(file_store: [nil, ::JobArtifactUploader::Store::LOCAL]) }
     scope :with_files_stored_remotely, -> { where(file_store: ::JobArtifactUploader::Store::REMOTE) }
-    scope :for_sha, ->(sha) { joins(job: :pipeline).where(ci_pipelines: { sha: sha }) }
+    scope :for_sha, ->(sha, project_id) { joins(job: :pipeline).where(ci_pipelines: { sha: sha, project_id: project_id }) }
 
     scope :with_file_types, -> (file_types) do
       types = self.file_types.select { |file_type| file_types.include?(file_type) }.values
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index d0a7db39a30..5c45c5fb7fb 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -19,7 +19,8 @@ class Discussion
             :noteable_ability_name,
             :to_ability_name,
             :editable?,
-            :visible_for?,
+            :system_note_with_references_visible_for?,
+            :resource_parent,
 
             to: :first_note
 
diff --git a/app/models/note.rb b/app/models/note.rb
index 97e84bb79f6..561391a55b6 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -223,7 +223,7 @@ class Note < ApplicationRecord
   end
 
   # rubocop: disable CodeReuse/ServiceClass
-  def cross_reference?
+  def system_note_with_references?
     return unless system?
 
     if force_cross_reference_regex_check?
@@ -339,12 +339,10 @@ class Note < ApplicationRecord
     super
   end
 
-  def cross_reference_not_visible_for?(user)
-    cross_reference? && !all_referenced_mentionables_allowed?(user)
-  end
-
-  def visible_for?(user)
-    !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user)
+  # This method is to be used for checking read permissions on a note instead of `system_note_with_references_visible_for?`
+  def readable_by?(user)
+    # note_policy accounts for #system_note_with_references_visible_for?(user) check when granting read access
+    Ability.allowed?(user, :read_note, self)
   end
 
   def award_emoji?
@@ -504,6 +502,10 @@ class Note < ApplicationRecord
     noteable.user_mentions.where(note: self)
   end
 
+  def system_note_with_references_visible_for?(user)
+    (!system_note_with_references? || all_referenced_mentionables_allowed?(user)) && system_note_viewable_by?(user)
+  end
+
   private
 
   # Using this method followed by a call to `save` may result in ActiveRecord::RecordNotUnique exception
diff --git a/app/models/project.rb b/app/models/project.rb
index e16bd568153..6ff5016be03 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1374,7 +1374,7 @@ class Project < ApplicationRecord
     @lfs_storage_project ||= begin
       result = self
 
-      # TODO: Make this go to the fork_network root immeadiatly
+      # TODO: Make this go to the fork_network root immediately
       # dependant on the discussion in: https://gitlab.com/gitlab-org/gitlab-foss/issues/39769
       result = result.fork_source while result&.forked?
 
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index dcde8cefa0d..54dc70b08cb 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class NotePolicy < BasePolicy
-  delegate { @subject.project }
+  delegate { @subject.resource_parent }
   delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
 
   condition(:is_author) { @user && @subject.author == @user }
@@ -11,7 +11,7 @@ class NotePolicy < BasePolicy
 
   condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
 
-  condition(:is_visible) { @subject.visible_for?(@user) }
+  condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) }
 
   rule { ~editable }.prevent :admin_note
 
diff --git a/app/policies/personal_snippet_policy.rb b/app/policies/personal_snippet_policy.rb
index bc60913563c..205dad6ea5f 100644
--- a/app/policies/personal_snippet_policy.rb
+++ b/app/policies/personal_snippet_policy.rb
@@ -7,6 +7,7 @@ class PersonalSnippetPolicy < BasePolicy
 
   rule { public_snippet }.policy do
     enable :read_snippet
+    enable :read_note
     enable :create_note
   end
 
@@ -14,11 +15,13 @@ class PersonalSnippetPolicy < BasePolicy
     enable :read_snippet
     enable :update_snippet
     enable :admin_snippet
+    enable :read_note
     enable :create_note
   end
 
   rule { internal_snippet & ~external_user }.policy do
     enable :read_snippet
+    enable :read_note
     enable :create_note
   end
 
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index a75eaa99c23..ac7ef6fb970 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -283,7 +283,7 @@ class NotificationService
     return true unless note.noteable_type.present?
 
     # ignore gitlab service messages
-    return true if note.cross_reference? && note.system?
+    return true if note.system_note_with_references?
 
     send_new_note_notifications(note)
   end
diff --git a/app/views/shared/notes/_note.html.haml b/app/views/shared/notes/_note.html.haml
index 5c9dd72418e..50bc4fb35df 100644
--- a/app/views/shared/notes/_note.html.haml
+++ b/app/views/shared/notes/_note.html.haml
@@ -1,5 +1,5 @@
 - return unless note.author
-- return if note.cross_reference_not_visible_for?(current_user)
+- return unless note.readable_by?(current_user)
 
 - show_image_comment_badge = local_assigns.fetch(:show_image_comment_badge, false)
 - note_editable = can?(current_user, :admin_note, note)