File: note.rb

package info (click to toggle)
gitlab 17.6.5-19
links: PTS, VCS
area: main
in suites: sid
size: 629,368 kB
sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (844 lines) | stat: -rw-r--r-- 24,246 bytes
# frozen_string_literal: true

# A note on the root of an issue, merge request, commit, or snippet.
#
# A note of this type is never resolvable.
class Note < ApplicationRecord
  extend ActiveModel::Naming
  extend Gitlab::Utils::Override

  include Notes::ActiveRecord
  include Notes::Discussion

  include Gitlab::Utils::StrongMemoize
  include Participable
  include Mentionable
  include Awardable
  include Importable
  include Import::HasImportSource
  include FasterCacheKeys
  include Redactable
  include CacheMarkdownField
  include AfterCommitQueue
  include ResolvableNote
  include Editable
  include Gitlab::SQL::Pattern
  include ThrottledTouch
  include FromUnion
  include Sortable
  include EachBatch
  include Spammable

  cache_markdown_field :note, pipeline: :note, issuable_reference_expansion_enabled: true

  redact_field :note

  TYPES_RESTRICTED_BY_PROJECT_ABILITY = {
    branch: :download_code
  }.freeze

  TYPES_RESTRICTED_BY_GROUP_ABILITY = {
    contact: :read_crm_contact
  }.freeze

  NON_DIFF_NOTE_TYPES = ['Note', 'DiscussionNote', nil].freeze

  # Attribute containing rendered and redacted Markdown as generated by
  # Banzai::ObjectRenderer.
  attr_accessor :redacted_note_html

  # Total of all references as generated by Banzai::ObjectRenderer
  attr_accessor :total_reference_count

  # Number of user visible references as generated by Banzai::ObjectRenderer
  attr_accessor :user_visible_reference_count

  # Attribute used to store the attributes that have been changed by quick actions.
  attr_writer :commands_changes

  # Attribute used to store the status of quick actions.
  attr_accessor :quick_actions_status

  # Attribute used to determine whether keep_around_commits will be skipped for diff notes.
  attr_accessor :skip_keep_around_commits

  attribute :system, default: false

  attr_spammable :note, spam_description: true

  attr_mentionable :note, pipeline: :note
  participant :author

  belongs_to :namespace
  belongs_to :project
  belongs_to :noteable, polymorphic: true # rubocop:disable Cop/PolymorphicAssociations
  belongs_to :review, inverse_of: :notes

  # The delete_all definition is required here in order
  # to generate the correct DELETE sql for
  # suggestions.delete_all calls
  has_many :suggestions, -> { order(:relative_order) },
    inverse_of: :note, dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent
  has_one :system_note_metadata
  has_one :note_metadata, inverse_of: :note, class_name: 'Notes::NoteMetadata'
  has_one :note_diff_file, inverse_of: :diff_note, foreign_key: :diff_note_id
  has_many :diff_note_positions

  # rubocop:disable Cop/ActiveRecordDependent -- polymorphic association
  has_many :events, as: :target, dependent: :delete_all
  # rubocop:enable Cop/ActiveRecordDependent

  delegate :gfm_reference, :local_reference, to: :noteable
  delegate :name, to: :project, prefix: true
  delegate :title, to: :noteable, allow_nil: true

  accepts_nested_attributes_for :note_metadata

  validates :project, presence: true, if: :for_project_noteable?
  validates :namespace, presence: true

  # Attachments are deprecated and are handled by Markdown uploader
  validates :attachment, file_size: { maximum: :max_attachment_size }

  validates :noteable_type, presence: true
  validates :noteable_id, presence: true, unless: [:for_commit?, :importing?]
  validates :commit_id, presence: true, if: :for_commit?

  validate :ensure_noteable_can_have_confidential_note
  validate :ensure_note_type_can_be_confidential
  validate :ensure_confidentiality_not_changed, on: :update
  validate :ensure_confidentiality_discussion_compliance

  validate unless: [:for_commit?, :importing?, :skip_project_check?] do |note|
    unless note.noteable.try(:project) == note.project
      errors.add(:project, 'does not match noteable project')
    end
  end

  validate :does_not_exceed_notes_limit?, on: :create, unless: [:system?, :importing?]

  # @deprecated attachments are handled by the Upload model.
  #
  # https://gitlab.com/gitlab-org/gitlab/-/issues/20830
  mount_uploader :attachment, AttachmentUploader

  # Scopes
  scope :for_commit_id, ->(commit_id) { where(noteable_type: "Commit", commit_id: commit_id) }
  scope :system, -> { where(system: true) }
  scope :user, -> { where(system: false) }
  scope :not_internal, -> { where(internal: false) }
  scope :common, -> { where(noteable_type: ["", nil]) }
  scope :fresh, -> { order_created_asc.with_order_id_asc }
  scope :updated_after, ->(time) { where('updated_at > ?', time) }
  scope :with_suggestions, -> { joins(:suggestions) }
  scope :inc_author, -> { includes(:author) }
  scope :authored_by, ->(user) { where(author: user) }
  scope :inc_note_diff_file, -> { includes(:note_diff_file) }
  scope :with_api_entity_associations, -> { preload(:note_diff_file, :author) }
  scope :inc_relations_for_view, ->(noteable = nil) do
    relations = [
      { project: :group }, { author: :status }, :updated_by, :resolved_by,
      :award_emoji, :note_metadata, :suggestions,
      { system_note_metadata: { description_version: [:issue, :merge_request] } }
    ]

    if noteable.nil? || DiffNote.noteable_types.include?(noteable.class.name)
      relations += [:note_diff_file, :diff_note_positions]
    end

    includes(relations)
  end

  scope :with_notes_filter, ->(notes_filter) do
    case notes_filter
    when UserPreference::NOTES_FILTERS[:only_comments]
      user
    when UserPreference::NOTES_FILTERS[:only_activity]
      system
    else
      all
    end
  end

  scope :diff_notes, -> { where(type: %w[LegacyDiffNote DiffNote]) }
  scope :new_diff_notes, -> { where(type: 'DiffNote') }
  scope :non_diff_notes, -> { where(type: NON_DIFF_NOTE_TYPES) }

  scope :with_associations, -> do
    # FYI noteable cannot be loaded for LegacyDiffNote for commits
    includes(
      :author, :noteable, :updated_by,
      project: [:project_members, :namespace, { group: [:group_members] }]
    )
  end
  scope :with_metadata, -> { includes(:system_note_metadata) }

  scope :without_hidden, -> {
    if Feature.enabled?(:hidden_notes)
      where_not_exists(Users::BannedUser.where('notes.author_id = banned_users.user_id'))
    else
      all
    end
  }

  scope :for_note_or_capitalized_note, ->(text) { where(note: [text, text.capitalize]) }
  scope :like_note_or_capitalized_note, ->(text) { where('(note LIKE ? OR note LIKE ?)', text, text.capitalize) }

  before_validation :ensure_namespace_id, :nullify_blank_type, :nullify_blank_line_code
  # Syncs `confidential` with `internal` as we rename the column.
  # https://gitlab.com/gitlab-org/gitlab/-/issues/367923
  before_create :set_internal_flag
  after_save :keep_around_commit, if: :for_project_noteable?, unless: -> { importing? || skip_keep_around_commits }
  after_save :touch_noteable, unless: :importing?
  after_commit :notify_after_create, on: :create
  after_commit :notify_after_destroy, on: :destroy

  after_commit :trigger_note_subscription_create, on: :create
  after_commit :trigger_note_subscription_update, on: :update
  after_commit :trigger_note_subscription_destroy, on: :destroy
  after_commit :broadcast_noteable_notes_changed, unless: :importing?

  def trigger_note_subscription_create
    return unless trigger_note_subscription?

    GraphqlTriggers.work_item_note_created(noteable.to_work_item_global_id, self)
  end

  def trigger_note_subscription_update
    return unless trigger_note_subscription?

    GraphqlTriggers.work_item_note_updated(noteable.to_work_item_global_id, self)
  end

  def trigger_note_subscription_destroy
    return unless trigger_note_subscription?

    # when deleting a note, we cannot pass it on as a Note instance, as GitlabSchema.object_from_id
    # would try to resolve the given Note and fetch it from DB which would raise NotFound exception.
    # So instead we just pass over the string representations of the note and discussion IDs,
    # so that the subscriber can identify the discussion and the note.
    deleted_note_data = {
      id: self.id,
      model_name: self.class.name,
      discussion_id: self.discussion_id,
      last_discussion_note: discussion.notes == [self]
    }

    GraphqlTriggers.work_item_note_deleted(noteable.to_work_item_global_id, deleted_note_data)
  end

  class << self
    extend Gitlab::Utils::Override

    def model_name
      ActiveModel::Name.new(self, nil, 'note')
    end

    def parent_object_field
      :noteable
    end

    # Group diff discussions by line code or file path.
    # It is not needed to group by line code when comment is
    # on an image.
    def grouped_diff_discussions(diff_refs = nil)
      groups = {}

      diff_notes.fresh.discussions.each do |discussion|
        group_key =
          if discussion.on_image?
            discussion.file_new_path
          else
            discussion.line_code_in_diffs(diff_refs)
          end

        if group_key
          discussions = groups[group_key] ||= []
          discussions << discussion
        end
      end

      groups
    end

    def positions
      where.not(position: nil)
        .select(:id, :type, :position) # ActiveRecord needs id and type for typecasting.
        .map(&:position)
    end

    def count_for_collection(ids, type, count_column = 'COUNT(*) as count')
      user.select(:noteable_id, count_column)
        .group(:noteable_id)
        .where(noteable_type: type, noteable_id: ids)
    end

    def search(query)
      fuzzy_search(query, [:note])
    end

    # Override the `Sortable` module's `.simple_sorts` to remove name sorting,
    # as a `Note` does not have any property that correlates to a "name".
    override :simple_sorts
    def simple_sorts
      super.except('name_asc', 'name_desc')
    end

    def cherry_picked_merge_requests(shas)
      where(noteable_type: 'MergeRequest', commit_id: shas).select(:noteable_id)
    end

    def with_web_entity_associations
      preload(:project, :author, :noteable)
    end
  end

  # rubocop: disable CodeReuse/ServiceClass
  def system_note_with_references?
    return unless system?

    if force_cross_reference_regex_check?
      matches_cross_reference_regex?
    else
      ::SystemNotes::IssuablesService.cross_reference?(note)
    end
  end
  # rubocop: enable CodeReuse/ServiceClass

  def diff_note?
    false
  end

  def active?
    true
  end

  def max_attachment_size
    Gitlab::CurrentSettings.max_attachment_size.megabytes.to_i
  end

  def hook_attrs
    Gitlab::HookData::NoteBuilder.new(self).build
  end

  def supports_suggestion?
    false
  end

  def for_commit?
    noteable_type == "Commit"
  end

  def for_issue?
    noteable_type == "Issue"
  end

  def for_work_item?
    noteable.is_a?(WorkItem)
  end

  def for_merge_request?
    noteable_type == "MergeRequest"
  end

  def for_snippet?
    noteable_type == "Snippet"
  end

  def for_alert_mangement_alert?
    noteable_type == 'AlertManagement::Alert'
  end

  def for_vulnerability?
    noteable_type == "Vulnerability"
  end

  def for_project_snippet?
    noteable.is_a?(ProjectSnippet)
  end

  def for_personal_snippet?
    noteable.is_a?(PersonalSnippet)
  end

  def for_wiki_page?
    noteable_type == "WikiPage::Meta"
  end

  def for_project_noteable?
    !(for_personal_snippet? || for_abuse_report? || group_level_issue?)
  end

  def group_level_issue?
    (for_issue? || for_work_item?) && noteable&.project_id.blank?
  end

  def for_design?
    noteable_type == DesignManagement::Design.name
  end

  def for_issuable?
    for_issue? || for_merge_request?
  end

  def for_abuse_report?
    noteable_type == AbuseReport.name
  end

  def skip_project_check?
    !for_project_noteable?
  end

  def commit
    @commit ||= project.commit(commit_id) if commit_id.present?
  end

  # Notes on merge requests and commits can be traced back to one or several
  # MRs. This method returns a relation if the note is for one of these types,
  # or nil if it is a note on some other object.
  def merge_requests
    if for_commit?
      project.merge_requests.by_commit_sha(commit_id)
    elsif for_merge_request?
      MergeRequest.id_in(noteable_id)
    end
  end

  # override to return commits, which are not active record
  def noteable
    return commit if for_commit?

    super
  rescue StandardError
    # Temp fix to prevent app crash
    # if note commit id doesn't exist
    nil
  end

  # FIXME: Hack for polymorphic associations with STI
  #        For more information visit http://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html#label-Polymorphic+Associations
  def noteable_type=(noteable_type)
    super(noteable_type.to_s.classify.constantize.base_class.to_s)
  end

  def contributor?
    project&.team&.contributor?(self.author_id)
  end

  def human_max_access
    project&.team&.human_max_access(self.author_id)
  end

  def noteable_author?(noteable)
    noteable.author == self.author
  end

  def project_name
    project&.name
  end

  def confidential?(include_noteable: false)
    return true if confidential

    include_noteable && noteable.try(:confidential?)
  end

  def editable?
    !system?
  end

  # We used `last_edited_at` as an alias of `updated_at` before.
  # This makes it compatible with the previous way without data migration.
  def last_edited_at
    super || updated_at
  end

  # Since we used `updated_at` as `last_edited_at`, it could be touched by transforming / resolving a note.
  # This makes sure it is only marked as edited when the note body is updated.
  def edited?
    return false if updated_by.blank?

    super
  end

  def award_emoji?
    can_be_award_emoji? && contains_emoji_only?
  end

  def emoji_awardable?
    !system?
  end

  def can_be_award_emoji?
    noteable.is_a?(Awardable) && !part_of_discussion?
  end

  def contains_emoji_only?
    note =~ /\A#{Banzai::Filter::EmojiFilter.emoji_pattern}\s?\Z/
  end

  def noteable_ability_name
    if for_snippet?
      'snippet'
    elsif for_alert_mangement_alert?
      'alert_management_alert'
    elsif for_vulnerability?
      'security_resource'
    elsif for_wiki_page?
      'wiki_page'
    else
      noteable_type.demodulize.underscore
    end
  end

  def can_be_discussion_note?
    self.noteable.supports_discussions? && !part_of_discussion? && !system?
  end

  def can_create_todo?
    # Skip system notes, and notes on snippets
    !system? && !for_snippet?
  end

  def references
    refs = [noteable]

    if part_of_discussion?
      refs += discussion.notes.take_while { |n| n.id < id }
    end

    refs
  end

  def bump_updated_at
    # Instead of calling touch which is throttled via ThrottledTouch concern,
    # we bump the updated_at column directly. This also prevents executing
    # after_commit callbacks that we don't need.
    attributes_to_update = { updated_at: Time.current }

    # Notes that were edited before the `last_edited_at` column was added, fall back to `updated_at` for the edit time.
    # We copy this over to the correct column so we don't erroneously change the edit timestamp.
    if updated_by_id.present? && read_attribute(:last_edited_at).blank?
      attributes_to_update[:last_edited_at] = updated_at
    end

    update_columns(attributes_to_update)
  end

  def broadcast_noteable_notes_changed
    noteable&.broadcast_notes_changed
  end

  def touch(*args, **kwargs)
    # We're not using an explicit transaction here because this would in all
    # cases result in all future queries going to the primary, even if no writes
    # are performed.
    #
    # We touch the noteable first so its SELECT query can run before our writes,
    # ensuring it runs on a secondary (if no prior write took place).
    touch_noteable
    super
  end

  # By default Rails will issue an "SELECT *" for the relation, which is
  # overkill for just updating the timestamps. To work around this we manually
  # touch the data so we can SELECT only the columns we need.
  def touch_noteable
    # Commits are not stored in the DB so we can't touch them.
    # Vulnerabilities should not be touched as they are tracked in the same manner as other issuable types
    return if for_vulnerability? || for_commit?

    assoc = association(:noteable)

    noteable_object =
      if assoc.loaded?
        noteable
      else
        # If the object is not loaded (e.g. when notes are loaded async) we
        # _only_ want the data we actually need.
        assoc.scope.select(:id, :updated_at).take
      end

    noteable_object&.touch

    # We return the noteable object so we can re-use it in EE for Elasticsearch.
    noteable_object
  end

  def notify_after_create
    noteable&.after_note_created(self)
  end

  def notify_after_destroy
    noteable&.after_note_destroyed(self)
  end

  def banzai_render_context(field)
    additional_attributes = { noteable: noteable, system_note: system?, label_url_method: noteable_label_url_method }
    additional_attributes[:group] = namespace if namespace.is_a?(Group)

    super.merge(additional_attributes)
  end

  def retrieve_upload(_identifier, paths)
    Upload.find_by(model: self, path: paths)
  end

  def resource_parent
    noteable.try(:resource_parent) || project
  end

  def user_mentions
    return Note.none unless noteable.present?

    noteable.user_mentions.where(note: self)
  end

  def system_note_visible_for?(user)
    return true unless system?

    system_note_viewable_by?(user) && all_referenced_mentionables_allowed?(user)
  end

  def parent_user
    noteable.author if for_personal_snippet?
  end

  def skip_notification?
    review.present? || !author.can_trigger_notifications?
  end

  def post_processed_cache_key
    cache_key_items = [cache_key, author&.cache_key]
    cache_key_items << project.team.human_max_access(author&.id) if author.present?
    cache_key_items << Digest::SHA1.hexdigest(redacted_note_html) if redacted_note_html.present?

    cache_key_items.join(':')
  end

  override :user_mention_class
  def user_mention_class
    return if noteable.blank?

    noteable.user_mention_class
  end

  override :user_mention_identifier
  def user_mention_identifier
    return if noteable.blank?

    noteable.user_mention_identifier.merge({
      note_id: id
    })
  end

  def show_outdated_changes?
    return false unless for_merge_request?
    return false unless system?
    return false if change_position&.on_file?
    return false unless change_position&.line_range

    change_position.line_range["end"] || change_position.line_range["start"]
  end

  def commands_changes
    @commands_changes&.slice(
      :due_date,
      :label_ids,
      :remove_label_ids,
      :add_label_ids,
      :canonical_issue_id,
      :clone_with_notes,
      :confidential,
      :create_merge_request,
      :add_contacts,
      :remove_contacts,
      :assignee_ids,
      :milestone_id,
      :time_estimate,
      :spend_time,
      :discussion_locked,
      :merge,
      :rebase,
      :wip_event,
      :target_branch,
      :reviewer_ids,
      :health_status,
      :promote_to_epic,
      :weight,
      :emoji_award,
      :todo_event,
      :subscription_event,
      :state_event,
      :title,
      :tag_message,
      :tag_name
    )
  end

  def mentioned_users(current_user = nil)
    users = super

    return users unless confidential?

    Ability.users_that_can_read_internal_notes(users, resource_parent)
  end

  def mentioned_filtered_user_ids_for(references)
    return super unless confidential?

    user_ids = references.mentioned_user_ids.presence

    return [] if user_ids.blank?

    users = User.where(id: user_ids)
    Ability.users_that_can_read_internal_notes(users, resource_parent).pluck(:id)
  end

  def issuable_ability_name
    confidential? ? :read_internal_note : :read_note
  end

  def exportable_record?(user)
    return true unless system?

    readable_by?(user)
  end

  # Override method defined in Spammable
  # Wildcard argument because user: argument is not used
  def check_for_spam?(*)
    return false if system? || !spammable_attribute_changed? || confidential?
    return false if noteable.try(:confidential?) == true || noteable.try(:public?) == false
    return false if noteable.try(:group)&.public? == false || project&.public? == false

    true
  end

  # Use attributes.keys instead of attribute_names to filter out the fields that are skipped during export:
  #
  # - note_html
  # - cached_markdown_version
  def attribute_names_for_serialization
    attributes.keys
  end

  private

  def trigger_note_subscription?
    for_issue? && noteable
  end

  def system_note_viewable_by?(user)
    return true unless system_note_metadata

    system_note_viewable_by_project_ability?(user) && system_note_viewable_by_group_ability?(user)
  end

  def system_note_viewable_by_project_ability?(user)
    project_restriction = TYPES_RESTRICTED_BY_PROJECT_ABILITY[system_note_metadata.action.to_sym]
    !project_restriction || Ability.allowed?(user, project_restriction, project)
  end

  def system_note_viewable_by_group_ability?(user)
    group_restriction = TYPES_RESTRICTED_BY_GROUP_ABILITY[system_note_metadata.action.to_sym]
    !group_restriction || Ability.allowed?(user, group_restriction, project&.group)
  end

  def keep_around_commit
    project.repository.keep_around(self.commit_id, source: "#{noteable_type}/#{self.class.name}")
  end

  def ensure_namespace_id
    return if namespace_id.present? && !noteable_changed? && !project_changed?

    self.namespace_id = if for_issue?
                          # Some issues are not project noteables (e.g. group-level work items)
                          # so we need this separate condition
                          noteable&.namespace_id
                        elsif for_project_noteable?
                          project&.project_namespace_id
                        elsif for_personal_snippet?
                          noteable&.author&.namespace&.id
                        end
  end

  def nullify_blank_type
    self.type = nil if self.type.blank?
  end

  def nullify_blank_line_code
    self.line_code = nil if self.line_code.blank?
  end

  def all_referenced_mentionables_allowed?(user)
    return true unless system_note_with_references?

    if user_visible_reference_count.present? && total_reference_count.present?
      # if they are not equal, then there are private/confidential references as well
      user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count
    else
      refs = all_references(user)

      refs.all.present? && refs.all_visible?
    end
  end

  def force_cross_reference_regex_check?
    return unless system?

    system_note_metadata&.cross_reference_types&.include?(system_note_metadata&.action)
  end

  def does_not_exceed_notes_limit?
    return unless noteable

    errors.add(:base, _('Maximum number of comments exceeded')) if noteable.notes.count >= Noteable::MAX_NOTES_LIMIT
  end

  def noteable_label_url_method
    for_merge_request? ? :project_merge_requests_url : :project_issues_url
  end

  def ensure_confidentiality_not_changed
    return unless will_save_change_to_attribute?(:confidential)
    return unless attribute_change_to_be_saved(:confidential).include?(true)

    errors.add(:confidential, _('can not be changed for existing notes'))
  end

  def ensure_confidentiality_discussion_compliance
    return if start_of_discussion?

    if discussion.first_note.confidential? != confidential?
      errors.add(:confidential, _('reply should have same confidentiality as top-level note'))
    end

  ensure
    clear_memoization(:discussion)
  end

  def ensure_noteable_can_have_confidential_note
    return unless confidential?
    return if noteable_can_have_confidential_note?

    errors.add(:confidential, _('can not be set for this resource'))
  end

  def ensure_note_type_can_be_confidential
    return unless confidential?
    return if NON_DIFF_NOTE_TYPES.include?(type)

    errors.add(:confidential, _('can not be set for this type of note'))
  end

  def noteable_can_have_confidential_note?
    for_issuable?
  end

  def set_internal_flag
    self.internal = confidential if confidential
  end
end

Note.prepend_mod