Merge branch 'fix-events-finder-incomplete-11-3' into 'security-11-3'

[11.3] Redact events shown in the events API

See merge request gitlab/gitlabhq!2518

1 files changed, 19 insertions, 3 deletions

diff --git a/lib/api/events.rb b/lib/api/events.rb
index a415508a632..2cf6d0f0ef2 100644
--- a/lib/api/events.rb
+++ b/lib/api/events.rb
@@ -16,11 +16,26 @@ module API
                         desc: 'Return events sorted in ascending and descending order'
       end
 
-      def present_events(events)
+      RedactedEvent = OpenStruct.new(target_title: 'Confidential event').freeze
+
+      def redact_events(events)
+        events.map do |event|
+          if event.visible_to_user?(current_user)
+            event
+          else
+            RedactedEvent
+          end
+        end
+      end
+
+      def present_events(events, redact: true)
         events = events.reorder(created_at: params[:sort])
                  .with_associations
 
-        present paginate(events), with: Entities::Event
+        events = paginate(events)
+        events = redact_events(events) if redact
+
+        present events, with: Entities::Event
       end
     end
 
@@ -41,7 +56,8 @@ module API
 
         events = EventsFinder.new(params.merge(source: current_user, current_user: current_user)).execute.preload(:author, :target)
 
-        present_events(events)
+        # Since we're viewing our own events, redaction is unnecessary
+        present_events(events, redact: false)
       end
     end