diff --git a/ee/app/policies/vulnerabilities/issue_link_policy.rb b/ee/app/policies/vulnerabilities/issue_link_policy.rb
index a6d89b0f38a4d46c19c07d95bb117ee3985e0c22..8c50e21eb9d2cab027b1444650dbde63540148da 100644
--- a/ee/app/policies/vulnerabilities/issue_link_policy.rb
+++ b/ee/app/policies/vulnerabilities/issue_link_policy.rb
@@ -4,8 +4,8 @@ module Vulnerabilities
class IssueLinkPolicy < BasePolicy
delegate { @subject.vulnerability&.project }
- condition(:issue_readable?) { Ability.allowed?(@user, :read_issue, @subject.issue) }
+ condition(:issue_readable?) { @subject.issue&.readable_by?(@user) }
- rule { ~issue_readable? }.prevent :read_issue_link
+ rule { issue_readable? }.enable :read_issue_link
end
end
diff --git a/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb b/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb
index c7d3d20ff8bdc2bf8baa22537d4daa42a38c9a4a..fc29f83868a5d05812a1f15856387524215f273a 100644
--- a/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb
+++ b/ee/spec/policies/vulnerabilities/issue_link_policy_spec.rb
@@ -6,7 +6,7 @@
let(:vulnerability_issue_link) { build(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue) }
let_it_be(:user) { create(:user) }
- let_it_be(:project) { create(:project, namespace: user.namespace) }
+ let_it_be(:project) { create(:project, :private) }
let_it_be(:vulnerability) { create(:vulnerability, project: project) }
let_it_be(:issue) { create(:issue, project: project) }
@@ -38,20 +38,43 @@
end
describe ':read_issue_link' do
- before do
- allow(Ability).to receive(:allowed?).with(user, :read_issue, issue).and_return(allowed?)
- end
+ describe 'using the issue#readable_by?' do
+ before do
+ allow(issue).to receive(:readable_by?).with(user).and_return(allowed?)
+ end
+
+ context 'when the associated issue can not be read by the user' do
+ let(:allowed?) { false }
+
+ it { is_expected.to be_disallowed(:read_issue_link) }
+ end
- context 'when the associated issue can not be read by the user' do
- let(:allowed?) { false }
+ context 'when the associated issue can be read by the user' do
+ let(:allowed?) { true }
- it { is_expected.to be_disallowed(:read_issue_link) }
+ it { is_expected.to be_allowed(:read_issue_link) }
+ end
end
- context 'when the associated issue can be read by the user' do
- let(:allowed?) { true }
+ describe 'when the vulnerability and the issue belong to different projects' do
+ let_it_be(:other_project) { create(:project, :public) }
+ let_it_be(:issue) { create(:issue, project: other_project) }
+
+ context 'when the issues are disabled for the vulnerable project' do
+ before do
+ project.project_feature.update_column(:issues_access_level, ProjectFeature::DISABLED)
+ end
+
+ it { is_expected.to be_allowed(:read_issue_link) }
+ end
+
+ context 'when the issues are disabled for the issue project' do
+ before do
+ other_project.project_feature.update_column(:issues_access_level, ProjectFeature::DISABLED)
+ end
- it { is_expected.to be_allowed(:read_issue_link) }
+ it { is_expected.to be_disallowed(:read_issue_link) }
+ end
end
end
end
diff --git a/ee/spec/requests/api/graphql/vulnerabilities/issue_links_spec.rb b/ee/spec/requests/api/graphql/vulnerabilities/issue_links_spec.rb
index 15828f0a4c62843336cd4e4560baeea4e0b783de..e1eda24c9c51a77b9813099790a500254f221b1d 100644
--- a/ee/spec/requests/api/graphql/vulnerabilities/issue_links_spec.rb
+++ b/ee/spec/requests/api/graphql/vulnerabilities/issue_links_spec.rb
@@ -99,7 +99,9 @@
# 22) Select issue project
# 23) Select issue user
# 24) Select project features
- expect { query_issue_links }.not_to exceed_query_limit(24)
+ # 25) Loading the project authorizations
+ # 26) Loading the namespace
+ expect { query_issue_links }.not_to exceed_query_limit(26)
end
end