# frozen_string_literal: true module Todos module Destroy class EntityLeaveService < ::Todos::Destroy::BaseService extend ::Gitlab::Utils::Override attr_reader :user, :entity # rubocop: disable CodeReuse/ActiveRecord def initialize(user_id, entity_id, entity_type) unless %w(Group Project).include?(entity_type) raise ArgumentError.new("#{entity_type} is not an entity user can leave") end @user = User.find_by(id: user_id) @entity = entity_type.constantize.find_by(id: entity_id) end # rubocop: enable CodeReuse/ActiveRecord def execute return unless entity && user # if at least reporter, all entities including confidential issues can be accessed return if user_has_reporter_access? remove_confidential_resource_todos if entity.private? remove_project_todos remove_group_todos else enqueue_private_features_worker end end private def enqueue_private_features_worker projects.each do |project| TodosDestroyer::PrivateFeaturesWorker.perform_async(project.id, user.id) end end # rubocop: disable CodeReuse/ActiveRecord def remove_confidential_resource_todos Todo.where( target_id: confidential_issues.select(:id), target_type: Issue.name, user_id: user.id ).delete_all end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def remove_project_todos # Issues are viewable by guests (even in private projects), so remove those todos # from projects without guest access Todo.where(project_id: non_authorized_guest_projects, user_id: user.id) .delete_all # MRs require reporter access, so remove those todos that are not authorized Todo.where(project_id: non_authorized_reporter_projects, target_type: MergeRequest.name, user_id: user.id) .delete_all end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def remove_group_todos Todo.where(group_id: non_authorized_groups, user_id: user.id).delete_all end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def projects condition = case entity when Project { id: entity.id } when Namespace { namespace_id: non_authorized_reporter_groups } end Project.where(condition) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def authorized_reporter_projects user.authorized_projects(Gitlab::Access::REPORTER).select(:id) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def authorized_guest_projects user.authorized_projects(Gitlab::Access::GUEST).select(:id) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def non_authorized_reporter_projects projects.where('id NOT IN (?)', authorized_reporter_projects) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def non_authorized_guest_projects projects.where('id NOT IN (?)', authorized_guest_projects) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def authorized_reporter_groups GroupsFinder.new(user, min_access_level: Gitlab::Access::REPORTER).execute.select(:id) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def non_authorized_groups return [] unless entity.is_a?(Namespace) entity.self_and_descendants.select(:id) .where('id NOT IN (?)', GroupsFinder.new(user).execute.select(:id)) end # rubocop: enable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord def non_authorized_reporter_groups entity.self_and_descendants.select(:id) .where('id NOT IN (?)', authorized_reporter_groups) end # rubocop: enable CodeReuse/ActiveRecord def user_has_reporter_access? return unless entity.is_a?(Namespace) entity.member?(User.find(user.id), Gitlab::Access::REPORTER) end # rubocop: disable CodeReuse/ActiveRecord def confidential_issues assigned_ids = IssueAssignee.select(:issue_id).where(user_id: user.id) Issue.where(project_id: projects, confidential: true) .where('project_id NOT IN(?)', authorized_reporter_projects) .where('author_id != ?', user.id) .where('id NOT IN (?)', assigned_ids) end # rubocop: enable CodeReuse/ActiveRecord end end end Todos::Destroy::EntityLeaveService.prepend_if_ee('EE::Todos::Destroy::EntityLeaveService')