From bc71e174806214d279470af604220e653fc86612 Mon Sep 17 00:00:00 2001
From: Alex Buijs <abuijs@gitlab.com>
Date: Wed, 28 Dec 2022 13:12:54 +0100
Subject: [PATCH 1/4] Move shared hidden logic from Issue to Issuable

In order to make it reusable for merge requests
---
 app/finders/issuable_finder/params.rb |  5 +++++
 app/finders/issues_finder.rb          |  2 +-
 app/finders/issues_finder/params.rb   |  8 +-------
 app/helpers/issuables_helper.rb       |  8 ++++++++
 app/helpers/issues_helper.rb          |  4 +---
 app/policies/issuable_policy.rb       |  3 +++
 app/policies/issue_policy.rb          |  3 ---
 locale/gitlab.pot                     |  3 +++
 spec/helpers/issuables_helper_spec.rb | 24 ++++++++++++++++++++++++
 9 files changed, 46 insertions(+), 14 deletions(-)

diff --git a/app/finders/issuable_finder/params.rb b/app/finders/issuable_finder/params.rb
index 32d50802537cee..e59c2224594ad7 100644
--- a/app/finders/issuable_finder/params.rb
+++ b/app/finders/issuable_finder/params.rb
@@ -195,6 +195,11 @@ def parent
       project || group
     end
 
+    def user_can_see_all_issuables?
+      Ability.allowed?(current_user, :read_all_resources)
+    end
+    strong_memoize_attr :user_can_see_all_issuables?
+
     private
 
     def projects_public_or_visible_to_user
diff --git a/app/finders/issues_finder.rb b/app/finders/issues_finder.rb
index e12dce744b5748..bd81f06f93b156 100644
--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -49,7 +49,7 @@ def params_class
 
   # rubocop: disable CodeReuse/ActiveRecord
   def with_confidentiality_access_check
-    return model_class.all if params.user_can_see_all_issues?
+    return model_class.all if params.user_can_see_all_issuables?
 
     # Only admins can see hidden issues, so for non-admins, we filter out any hidden issues
     issues = model_class.without_hidden
diff --git a/app/finders/issues_finder/params.rb b/app/finders/issues_finder/params.rb
index 7f8acb79ed688c..786bfbd4113b84 100644
--- a/app/finders/issues_finder/params.rb
+++ b/app/finders/issues_finder/params.rb
@@ -44,7 +44,7 @@ def user_can_see_all_confidential_issues?
         if parent
           Ability.allowed?(current_user, :read_confidential_issues, parent)
         else
-          user_can_see_all_issues?
+          user_can_see_all_issuables?
         end
       end
     end
@@ -54,12 +54,6 @@ def user_cannot_see_confidential_issues?
 
       current_user.blank?
     end
-
-    def user_can_see_all_issues?
-      strong_memoize(:user_can_see_all_issues) do
-        Ability.allowed?(current_user, :read_all_resources)
-      end
-    end
   end
 end
 
diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index 2b21d8c51e6921..910823b89ee5c4 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -372,6 +372,14 @@ def state_name_with_icon(issuable)
     end
   end
 
+  def hidden_issuable_icon(issuable)
+    title = format(_('This %{issuable} is hidden because its author has been banned'),
+                   issuable: issuable.human_class_name)
+    content_tag(:span, class: 'has-tooltip', title: title) do
+      sprite_icon('spam', css_class: 'gl-vertical-align-text-bottom')
+    end
+  end
+
   private
 
   def sidebar_gutter_collapsed?
diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
index 9095129e05ceab..527106de7900f6 100644
--- a/app/helpers/issues_helper.rb
+++ b/app/helpers/issues_helper.rb
@@ -75,9 +75,7 @@ def issue_hidden?(issue)
   def hidden_issue_icon(issue)
     return unless issue_hidden?(issue)
 
-    content_tag(:span, class: 'has-tooltip', title: _('This issue is hidden because its author has been banned')) do
-      sprite_icon('spam', css_class: 'gl-vertical-align-text-bottom')
-    end
+    hidden_issuable_icon(issue)
   end
 
   def award_user_list(awards, current_user, limit: 10)
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index fae66498038cd0..52796ed1a1d842 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -16,6 +16,9 @@ class IssuablePolicy < BasePolicy
 
   condition(:is_incident) { @subject.incident? }
 
+  desc "Issuable is hidden"
+  condition(:hidden, scope: :subject) { @subject.hidden? }
+
   rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do
     enable :read_issue
     enable :update_issue
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 12d83735d225f1..8215bf421f3240 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -21,9 +21,6 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
-  desc "Issue is hidden"
-  condition(:hidden, scope: :subject) { @subject.hidden? }
-
   desc "Issue is persisted"
   condition(:persisted, scope: :subject) { @subject.persisted? }
 
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 87f17ed548dc2b..321c421f45e041 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42306,6 +42306,9 @@ msgstr ""
 msgid "This %{issuableDisplayName} is locked. Only project members can comment."
 msgstr ""
 
+msgid "This %{issuable} is hidden because its author has been banned"
+msgstr ""
+
 msgid "This %{issuable} is locked. Only %{strong_open}project members%{strong_close} can comment."
 msgstr ""
 
diff --git a/spec/helpers/issuables_helper_spec.rb b/spec/helpers/issuables_helper_spec.rb
index 15b57a4c9eb034..7768263bd1a60a 100644
--- a/spec/helpers/issuables_helper_spec.rb
+++ b/spec/helpers/issuables_helper_spec.rb
@@ -629,4 +629,28 @@
       expect(helper.sidebar_milestone_tooltip_label(milestone)).to eq('&lt;img onerror=alert(1)&gt;<br/>Milestone')
     end
   end
+
+  describe '#hidden_issuable_icon' do
+    let_it_be(:mock_svg) { '<svg></svg>'.html_safe }
+
+    before do
+      allow(helper).to receive(:sprite_icon).and_return(mock_svg)
+    end
+
+    context 'when issuable is an issue' do
+      let_it_be(:issuable) { build(:issue) }
+
+      it 'returns icon with tooltip' do
+        expect(helper.hidden_issuable_icon(issuable)).to eq("<span class=\"has-tooltip\" title=\"This issue is hidden because its author has been banned\">#{mock_svg}</span>")
+      end
+    end
+
+    context 'when issuable is a merge request' do
+      let_it_be(:issuable) { build(:merge_request) }
+
+      it 'returns icon with tooltip' do
+        expect(helper.hidden_issuable_icon(issuable)).to eq("<span class=\"has-tooltip\" title=\"This merge request is hidden because its author has been banned\">#{mock_svg}</span>")
+      end
+    end
+  end
 end
-- 
GitLab


From 5c1e5571d273c78e325a38c166a395ce3827c13d Mon Sep 17 00:00:00 2001
From: Alex Buijs <abuijs@gitlab.com>
Date: Mon, 5 Dec 2022 15:53:51 +0100
Subject: [PATCH 2/4] Hide merge requests from banned users

And show a hidden icon for admins and auditors
---
 .../admin/users/components/actions/ban.vue    |  4 +-
 .../components/issuable_header_warnings.vue   |  6 ++-
 .../merge_requests/application_controller.rb  |  4 ++
 app/finders/issuable_finder.rb                |  5 ++-
 .../concerns/resolves_merge_requests.rb       |  2 +-
 app/helpers/merge_requests_helper.rb          |  6 +++
 app/models/merge_request.rb                   | 12 ++++++
 app/policies/merge_request_policy.rb          |  4 ++
 .../merge_requests/_merge_request.html.haml   |  1 +
 .../merge_requests/_mr_title.html.haml        |  2 +-
 .../hide_merge_requests_from_banned_users.yml |  8 ++++
 doc/user/admin_area/moderate_users.md         |  2 +-
 ee/spec/finders/merge_requests_finder_spec.rb | 17 ++++++++
 locale/gitlab.pot                             |  2 +-
 .../admin_views_hidden_merge_request_spec.rb  | 26 ++++++++++++
 .../admin_views_hidden_merge_requests_spec.rb | 26 ++++++++++++
 .../issuable_header_warnings_spec.js          |  3 +-
 spec/helpers/issuables_helper_spec.rb         |  2 +-
 spec/models/merge_request_spec.rb             | 42 +++++++++++++++++++
 spec/policies/merge_request_policy_spec.rb    | 16 +++++++
 .../merge_requests_controller_spec.rb         | 28 +++++++++----
 21 files changed, 201 insertions(+), 17 deletions(-)
 create mode 100644 config/feature_flags/development/hide_merge_requests_from_banned_users.yml
 create mode 100644 spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
 create mode 100644 spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb

diff --git a/app/assets/javascripts/admin/users/components/actions/ban.vue b/app/assets/javascripts/admin/users/components/actions/ban.vue
index 55938832dce5d4..898a688c203f07 100644
--- a/app/assets/javascripts/admin/users/components/actions/ban.vue
+++ b/app/assets/javascripts/admin/users/components/actions/ban.vue
@@ -11,7 +11,9 @@ const messageHtml = `
   <ul>
     <li>${s__("AdminUsers|The user can't log in.")}</li>
     <li>${s__("AdminUsers|The user can't access git repositories.")}</li>
-    <li>${s__('AdminUsers|Issues authored by this user are hidden from other users.')}</li>
+    <li>${s__(
+      'AdminUsers|Issues and merge requests authored by this user are hidden from other users.',
+    )}</li>
   </ul>
   <p>${s__('AdminUsers|You can unban their account in the future. Their data remains intact.')}</p>
   <p>${sprintf(
diff --git a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
index 543dca0afe1f91..a84187ab86b8b4 100644
--- a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
+++ b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
@@ -1,7 +1,7 @@
 <script>
 import { GlIcon, GlTooltipDirective } from '@gitlab/ui';
 import { mapGetters } from 'vuex';
-import { __ } from '~/locale';
+import { sprintf, __ } from '~/locale';
 import { IssuableType, WorkspaceType } from '~/issues/constants';
 import glFeatureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import ConfidentialityBadge from '~/vue_shared/components/confidentiality_badge.vue';
@@ -40,7 +40,9 @@ export default {
           iconName: 'spam',
           visible: this.hidden,
           dataTestId: 'hidden',
-          tooltip: __('This issue is hidden because its author has been banned'),
+          tooltip: sprintf(__('This %{issuable} is hidden because its author has been banned'), {
+            issuable: this.getNoteableData.targetType.replace('_', ' '),
+          }),
         },
       ];
     },
diff --git a/app/controllers/projects/merge_requests/application_controller.rb b/app/controllers/projects/merge_requests/application_controller.rb
index d8da448a3239b7..76b06b2ce9db12 100644
--- a/app/controllers/projects/merge_requests/application_controller.rb
+++ b/app/controllers/projects/merge_requests/application_controller.rb
@@ -13,6 +13,10 @@ def merge_request
     @issuable =
       @merge_request ||=
         merge_request_includes(@project.merge_requests).find_by_iid!(params[:id])
+
+    return render_404 unless can?(current_user, :read_merge_request, @issuable)
+
+    @issuable
   end
 
   def merge_request_includes(association)
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 5fcb81949ee93f..c5a3293ad2f1f9 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -248,7 +248,10 @@ def force_cte?
   end
 
   def init_collection
-    klass.all
+    return klass.all if params.user_can_see_all_issuables?
+
+    # Only admins and auditors can see hidden issuables, for other users we filter out hidden issuables
+    klass.without_hidden
   end
 
   def default_or_simple_sort?
diff --git a/app/graphql/resolvers/concerns/resolves_merge_requests.rb b/app/graphql/resolvers/concerns/resolves_merge_requests.rb
index d56951bc8212e2..c68e120ee241fb 100644
--- a/app/graphql/resolvers/concerns/resolves_merge_requests.rb
+++ b/app/graphql/resolvers/concerns/resolves_merge_requests.rb
@@ -34,7 +34,7 @@ def mr_parent
   end
 
   def unconditional_includes
-    [:target_project]
+    [:target_project, :author]
   end
 
   def preloads
diff --git a/app/helpers/merge_requests_helper.rb b/app/helpers/merge_requests_helper.rb
index 1d7d812dc5d721..ec395baef9e1cd 100644
--- a/app/helpers/merge_requests_helper.rb
+++ b/app/helpers/merge_requests_helper.rb
@@ -276,6 +276,12 @@ def sticky_header_data
 
     data
   end
+
+  def hidden_merge_request_icon(merge_request)
+    return unless merge_request.hidden?
+
+    hidden_issuable_icon(merge_request)
+  end
 end
 
 MergeRequestsHelper.prepend_mod_with('MergeRequestsHelper')
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index 78c6d983a3d369..73bb6280fbb9a6 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -436,6 +436,14 @@ def public_merge_status
     )
   end
 
+  scope :without_hidden, -> {
+    if Feature.enabled?(:hide_merge_requests_from_banned_users)
+      where_not_exists(Users::BannedUser.where('merge_requests.author_id = banned_users.user_id'))
+    else
+      all
+    end
+  }
+
   def self.total_time_to_merge
     join_metrics
       .merge(MergeRequest::Metrics.with_valid_time_to_merge)
@@ -2001,6 +2009,10 @@ def can_suggest_reviewers?
     false # overridden in EE
   end
 
+  def hidden?
+    Feature.enabled?(:hide_merge_requests_from_banned_users) && author&.banned?
+  end
+
   private
 
   attr_accessor :skip_fetch_ref
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index 1759cf057e401b..49f9225a1d36ca 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -29,6 +29,10 @@ class MergeRequestPolicy < IssuablePolicy
     enable :update_subscription
   end
 
+  rule { hidden & ~admin }.policy do
+    prevent :read_merge_request
+  end
+
   condition(:can_merge) { @subject.can_be_merged_by?(@user) }
 
   rule { can_merge }.policy do
diff --git a/app/views/projects/merge_requests/_merge_request.html.haml b/app/views/projects/merge_requests/_merge_request.html.haml
index 71f8e4c32f5eb6..b96d869e9d7185 100644
--- a/app/views/projects/merge_requests/_merge_request.html.haml
+++ b/app/views/projects/merge_requests/_merge_request.html.haml
@@ -12,6 +12,7 @@
     .issuable-main-info
       .merge-request-title.title
         %span.merge-request-title-text.js-onboarding-mr-item
+          = hidden_merge_request_icon(merge_request)
           = link_to merge_request.title, merge_request_path(merge_request), class: 'js-prefetch-document'
         - if merge_request.tasks?
           %span.task-status.d-none.d-sm-inline-block
diff --git a/app/views/projects/merge_requests/_mr_title.html.haml b/app/views/projects/merge_requests/_mr_title.html.haml
index a73d2aa5cc4c11..9d25603994af1b 100644
--- a/app/views/projects/merge_requests/_mr_title.html.haml
+++ b/app/views/projects/merge_requests/_mr_title.html.haml
@@ -16,7 +16,7 @@
   .detail-page-header.border-bottom-0.pt-0.pb-0.gl-display-block{ class: "gl-md-display-flex! #{'is-merge-request' if moved_mr_sidebar_enabled? && !fluid_layout}" }
     .detail-page-header-body
       .issuable-meta.gl-display-flex
-        #js-issuable-header-warnings
+        #js-issuable-header-warnings{ data: { hidden: @merge_request.hidden?.to_s } }
         %h1.title.page-title.gl-font-size-h-display.gl-my-0.gl-display-inline-block{ data: { qa_selector: 'title_content' } }
           = markdown_field(@merge_request, :title)
 
diff --git a/config/feature_flags/development/hide_merge_requests_from_banned_users.yml b/config/feature_flags/development/hide_merge_requests_from_banned_users.yml
new file mode 100644
index 00000000000000..6ba0bc24196bfb
--- /dev/null
+++ b/config/feature_flags/development/hide_merge_requests_from_banned_users.yml
@@ -0,0 +1,8 @@
+---
+name: hide_merge_requests_from_banned_users
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107836
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/386726
+milestone: "15.8"
+type: development
+group: group::anti-abuse
+default_enabled: false
diff --git a/doc/user/admin_area/moderate_users.md b/doc/user/admin_area/moderate_users.md
index c0daf029b1f4ae..117781f72223d2 100644
--- a/doc/user/admin_area/moderate_users.md
+++ b/doc/user/admin_area/moderate_users.md
@@ -223,7 +223,7 @@ On self-managed GitLab, by default this feature is available.
 To hide the feature, ask an administrator to [disable the feature flag](../../administration/feature_flags.md) named `ban_user_feature_flag`.
 On GitLab.com, this feature is available to GitLab.com administrators only.
 
-GitLab administrators can ban and unban users. Banned users are blocked, and their issues are hidden.
+GitLab administrators can ban and unban users. Banned users are blocked, and their issues and merge requests are hidden.
 The banned user's comments are still displayed. Hiding a banned user's comments is [tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/327356).
 
 ### Ban a user
diff --git a/ee/spec/finders/merge_requests_finder_spec.rb b/ee/spec/finders/merge_requests_finder_spec.rb
index 46e52bc6a4e99c..e54488f84c4ae7 100644
--- a/ee/spec/finders/merge_requests_finder_spec.rb
+++ b/ee/spec/finders/merge_requests_finder_spec.rb
@@ -94,5 +94,22 @@
         expect(merge_requests).to contain_exactly(scoped_labeled_merge_request_1, scoped_labeled_merge_request_2)
       end
     end
+
+    context 'when the author of a merge request is banned' do
+      let_it_be(:banned_user) { create(:user, :banned) }
+      let_it_be(:banned_merge_request) do
+        create(:merge_request, :simple, author: banned_user, source_project: project1)
+      end
+
+      subject(:merge_requests) { described_class.new(user).execute }
+
+      it { is_expected.not_to include(banned_merge_request) }
+
+      context 'when the user is an auditor' do
+        let_it_be(:user) { create(:user, :auditor) }
+
+        it { is_expected.to include(banned_merge_request) }
+      end
+    end
   end
 end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 321c421f45e041..1f3bcd5de4c6ca 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -3307,7 +3307,7 @@ msgstr ""
 msgid "AdminUsers|Is using seat"
 msgstr ""
 
-msgid "AdminUsers|Issues authored by this user are hidden from other users."
+msgid "AdminUsers|Issues and merge requests authored by this user are hidden from other users."
 msgstr ""
 
 msgid "AdminUsers|It's you!"
diff --git a/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb b/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
new file mode 100644
index 00000000000000..b21d47a312169e
--- /dev/null
+++ b/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Admin views hidden merge request', feature_category: :insider_threat do
+  context 'when signed in as admin and viewing a hidden merge request', :js do
+    let_it_be(:admin) { create(:admin) }
+    let_it_be(:author) { create(:user, :banned) }
+    let_it_be(:project) { create(:project, :repository) }
+    let!(:merge_request) { create(:merge_request, source_project: project, author: author) }
+
+    before do
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
+      visit(project_merge_request_path(project, merge_request))
+    end
+
+    it 'shows a hidden merge request icon' do
+      page.within('.detail-page-header-body') do
+        tooltip = format(_('This %{issuable} is hidden because its author has been banned'), issuable: 'merge request')
+        expect(page).to have_css("div[data-testid='hidden'][title='#{tooltip}']")
+        expect(page).to have_css('svg[data-testid="spam-icon"]')
+      end
+    end
+  end
+end
diff --git a/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb b/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb
new file mode 100644
index 00000000000000..41ec9a4483ec17
--- /dev/null
+++ b/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Admin views hidden merge requests', feature_category: :insider_threat do
+  context 'when signed in as admin and viewing a hidden merge request' do
+    let_it_be(:admin) { create(:admin) }
+    let_it_be(:author) { create(:user, :banned) }
+    let_it_be(:project) { create(:project) }
+    let!(:merge_request) { create(:merge_request, source_project: project, author: author) }
+
+    before do
+      sign_in(admin)
+      gitlab_enable_admin_mode_sign_in(admin)
+      visit(project_merge_requests_path(project))
+    end
+
+    it 'shows a hidden merge request icon' do
+      page.within("#merge_request_#{merge_request.id}") do
+        tooltip = format(_('This %{issuable} is hidden because its author has been banned'), issuable: 'merge request')
+        expect(page).to have_css("span[title='#{tooltip}']")
+        expect(page).to have_css('svg[data-testid="spam-icon"]')
+      end
+    end
+  end
+end
diff --git a/spec/frontend/issuable/components/issuable_header_warnings_spec.js b/spec/frontend/issuable/components/issuable_header_warnings_spec.js
index e3a36dc8820b49..98a81478cb6d6b 100644
--- a/spec/frontend/issuable/components/issuable_header_warnings_spec.js
+++ b/spec/frontend/issuable/components/issuable_header_warnings_spec.js
@@ -57,6 +57,7 @@ describe('IssuableHeaderWarnings', () => {
         beforeEach(() => {
           store.getters.getNoteableData.confidential = confidentialStatus;
           store.getters.getNoteableData.discussion_locked = lockStatus;
+          store.getters.getNoteableData.targetType = issuableType;
 
           createComponent({ store, provide: { hidden: hiddenStatus } });
         });
@@ -84,7 +85,7 @@ describe('IssuableHeaderWarnings', () => {
 
           if (hiddenStatus) {
             expect(hiddenIcon.attributes('title')).toBe(
-              'This issue is hidden because its author has been banned',
+              `This ${issuableType} is hidden because its author has been banned`,
             );
             expect(getBinding(hiddenIcon.element, 'gl-tooltip')).not.toBeUndefined();
           }
diff --git a/spec/helpers/issuables_helper_spec.rb b/spec/helpers/issuables_helper_spec.rb
index 7768263bd1a60a..0cd7cfae3a763d 100644
--- a/spec/helpers/issuables_helper_spec.rb
+++ b/spec/helpers/issuables_helper_spec.rb
@@ -630,7 +630,7 @@
     end
   end
 
-  describe '#hidden_issuable_icon' do
+  describe '#hidden_issuable_icon', feature_category: :insider_threat do
     let_it_be(:mock_svg) { '<svg></svg>'.html_safe }
 
     before do
diff --git a/spec/models/merge_request_spec.rb b/spec/models/merge_request_spec.rb
index 05586cbfc642a1..e9c3551de19835 100644
--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@@ -165,6 +165,25 @@
         expect(described_class.drafts).to eq([merge_request4])
       end
     end
+
+    describe '.without_hidden', feature_category: :insider_threat do
+      let_it_be(:banned_user) { create(:user, :banned) }
+      let_it_be(:hidden_merge_request) { create(:merge_request, :unique_branches, author: banned_user) }
+
+      it 'only returns public issuables' do
+        expect(described_class.without_hidden).not_to include(hidden_merge_request)
+      end
+
+      context 'when feature flag is disabled' do
+        before do
+          stub_feature_flags(hide_merge_requests_from_banned_users: false)
+        end
+
+        it 'returns public and hidden issuables' do
+          expect(described_class.without_hidden).to include(hidden_merge_request)
+        end
+      end
+    end
   end
 
   describe '#squash?' do
@@ -5456,4 +5475,27 @@ def transition!
 
     it { is_expected.to be_empty }
   end
+
+  describe '#hidden?', feature_category: :insider_threat do
+    let_it_be(:author) { create(:user) }
+    let(:merge_request) { build_stubbed(:merge_request, author: author) }
+
+    subject { merge_request.hidden? }
+
+    it { is_expected.to eq(false) }
+
+    context 'when the author is banned' do
+      let_it_be(:author) { create(:user, :banned) }
+
+      it { is_expected.to eq(true) }
+
+      context 'when the feature flag is disabled' do
+        before do
+          stub_feature_flags(hide_merge_requests_from_banned_users: false)
+        end
+
+        it { is_expected.to eq(false) }
+      end
+    end
+  end
 end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 741a0db300918e..adb717965065b1 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -461,4 +461,20 @@ def permissions(user, merge_request)
       end
     end
   end
+
+  context 'when the author of the merge request is banned', feature_category: :insider_threat do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:admin) { create(:user, :admin) }
+    let_it_be(:author) { create(:user, :banned) }
+    let_it_be(:project) { create(:project, :public) }
+    let_it_be(:hidden_merge_request) { create(:merge_request, source_project: project, author: author) }
+
+    it 'does not allow non-admin user to read the merge_request' do
+      expect(permissions(user, hidden_merge_request)).not_to be_allowed(:read_merge_request)
+    end
+
+    it 'allows admin to read the merge_request', :enable_admin_mode do
+      expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request)
+    end
+  end
 end
diff --git a/spec/requests/projects/merge_requests_controller_spec.rb b/spec/requests/projects/merge_requests_controller_spec.rb
index 2e16529b20de81..9cb95cb5744130 100644
--- a/spec/requests/projects/merge_requests_controller_spec.rb
+++ b/spec/requests/projects/merge_requests_controller_spec.rb
@@ -10,18 +10,32 @@
   describe 'GET #show' do
     let_it_be(:group) { create(:group) }
     let_it_be(:user) { create(:user) }
-    let_it_be(:project) { create :project, group: group }
+    let_it_be(:project) { create(:project, :public, group: group) }
 
-    let_it_be(:merge_request) { create :merge_request, source_project: project, author: user }
+    let(:merge_request) { create :merge_request, source_project: project, author: user }
 
-    before do
-      login_as(user)
+    context 'when logged in' do
+      before do
+        login_as(user)
+      end
+
+      it_behaves_like "observability csp policy", described_class do
+        let(:tested_path) do
+          project_merge_request_path(project, merge_request)
+        end
+      end
     end
 
-    it_behaves_like "observability csp policy", described_class do
-      let(:tested_path) do
-        project_merge_request_path(project, merge_request)
+    context 'when the author of the merge request is banned', feature_category: :insider_threat do
+      let_it_be(:user) { create(:user, :banned) }
+
+      subject { response }
+
+      before do
+        get project_merge_request_path(project, merge_request)
       end
+
+      it { is_expected.to have_gitlab_http_status(:not_found) }
     end
   end
 
-- 
GitLab


From 493c0075e7fd4e252c0dde874b368e92740ff846 Mon Sep 17 00:00:00 2001
From: Alex Buijs <abuijs@gitlab.com>
Date: Tue, 3 Jan 2023 15:05:35 +0100
Subject: [PATCH 3/4] Database maintainer review feedback

As suggested by @mayra-cabrera
---
 ee/spec/finders/merge_requests_finder_spec.rb | 17 -------------
 spec/finders/merge_requests_finder_spec.rb    | 25 +++++++++++++++++++
 spec/policies/merge_request_policy_spec.rb    | 14 +++++++++++
 3 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/ee/spec/finders/merge_requests_finder_spec.rb b/ee/spec/finders/merge_requests_finder_spec.rb
index e54488f84c4ae7..46e52bc6a4e99c 100644
--- a/ee/spec/finders/merge_requests_finder_spec.rb
+++ b/ee/spec/finders/merge_requests_finder_spec.rb
@@ -94,22 +94,5 @@
         expect(merge_requests).to contain_exactly(scoped_labeled_merge_request_1, scoped_labeled_merge_request_2)
       end
     end
-
-    context 'when the author of a merge request is banned' do
-      let_it_be(:banned_user) { create(:user, :banned) }
-      let_it_be(:banned_merge_request) do
-        create(:merge_request, :simple, author: banned_user, source_project: project1)
-      end
-
-      subject(:merge_requests) { described_class.new(user).execute }
-
-      it { is_expected.not_to include(banned_merge_request) }
-
-      context 'when the user is an auditor' do
-        let_it_be(:user) { create(:user, :auditor) }
-
-        it { is_expected.to include(banned_merge_request) }
-      end
-    end
   end
 end
diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb
index 349ffd09324cf0..5dfbce991ba5c1 100644
--- a/spec/finders/merge_requests_finder_spec.rb
+++ b/spec/finders/merge_requests_finder_spec.rb
@@ -993,4 +993,29 @@ def find(label_name)
       end
     end
   end
+
+  context 'when the author of a merge request is banned', feature_category: :insider_threat do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:banned_user) { create(:user, :banned) }
+    let_it_be(:project) { create(:project, :public) }
+    let_it_be(:banned_merge_request) { create(:merge_request, author: banned_user, source_project: project) }
+
+    subject { described_class.new(user).execute }
+
+    it { is_expected.not_to include(banned_merge_request) }
+
+    context 'when the user is an admin', :enable_admin_mode do
+      let_it_be(:user) { create(:user, :admin) }
+
+      it { is_expected.to include(banned_merge_request) }
+    end
+
+    context 'when the `hide_merge_requests_from_banned_users` feature flag is disabled' do
+      before do
+        stub_feature_flags(hide_merge_requests_from_banned_users: false)
+      end
+
+      it { is_expected.to include(banned_merge_request) }
+    end
+  end
 end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index adb717965065b1..c21e1244402d4f 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -476,5 +476,19 @@ def permissions(user, merge_request)
     it 'allows admin to read the merge_request', :enable_admin_mode do
       expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request)
     end
+
+    context 'when the `hide_merge_requests_from_banned_users` feature flag is disabled' do
+      before do
+        stub_feature_flags(hide_merge_requests_from_banned_users: false)
+      end
+
+      it 'allows non-admin users to read the merge_request' do
+        expect(permissions(user, hidden_merge_request)).to be_allowed(:read_merge_request)
+      end
+
+      it 'allows admin users to read the merge_request', :enable_admin_mode do
+        expect(permissions(admin, hidden_merge_request)).to be_allowed(:read_merge_request)
+      end
+    end
   end
 end
-- 
GitLab


From a7f50f234c7589c0d6263936fe09bdad2e305c7c Mon Sep 17 00:00:00 2001
From: Alex Buijs <abuijs@gitlab.com>
Date: Fri, 6 Jan 2023 13:08:17 +0100
Subject: [PATCH 4/4] Frontend maintainer review feedback

As suggested by @afontaine
---
 .../issuable/components/issuable_header_warnings.vue       | 7 ++++++-
 app/helpers/issuables_helper.rb                            | 2 +-
 .../merge_request/admin_views_hidden_merge_request_spec.rb | 3 ++-
 .../admin_views_hidden_merge_requests_spec.rb              | 3 ++-
 .../issuable/components/issuable_header_warnings_spec.js   | 4 ++--
 5 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
index a84187ab86b8b4..14325d6b64e1b7 100644
--- a/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
+++ b/app/assets/javascripts/issuable/components/issuable_header_warnings.vue
@@ -6,6 +6,11 @@ import { IssuableType, WorkspaceType } from '~/issues/constants';
 import glFeatureFlagMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import ConfidentialityBadge from '~/vue_shared/components/confidentiality_badge.vue';
 
+const NoteableTypeText = {
+  issue: __('issue'),
+  merge_request: __('merge request'),
+};
+
 export default {
   WorkspaceType,
   IssuableType,
@@ -41,7 +46,7 @@ export default {
           visible: this.hidden,
           dataTestId: 'hidden',
           tooltip: sprintf(__('This %{issuable} is hidden because its author has been banned'), {
-            issuable: this.getNoteableData.targetType.replace('_', ' '),
+            issuable: NoteableTypeText[this.getNoteableData.targetType],
           }),
         },
       ];
diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb
index 910823b89ee5c4..c6bc48f4b54b0a 100644
--- a/app/helpers/issuables_helper.rb
+++ b/app/helpers/issuables_helper.rb
@@ -374,7 +374,7 @@ def state_name_with_icon(issuable)
 
   def hidden_issuable_icon(issuable)
     title = format(_('This %{issuable} is hidden because its author has been banned'),
-                   issuable: issuable.human_class_name)
+                   issuable: issuable.is_a?(Issue) ? _('issue') : _('merge request'))
     content_tag(:span, class: 'has-tooltip', title: title) do
       sprite_icon('spam', css_class: 'gl-vertical-align-text-bottom')
     end
diff --git a/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb b/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
index b21d47a312169e..0dbb42a633b382 100644
--- a/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
+++ b/spec/features/merge_request/admin_views_hidden_merge_request_spec.rb
@@ -17,7 +17,8 @@
 
     it 'shows a hidden merge request icon' do
       page.within('.detail-page-header-body') do
-        tooltip = format(_('This %{issuable} is hidden because its author has been banned'), issuable: 'merge request')
+        tooltip = format(_('This %{issuable} is hidden because its author has been banned'),
+          issuable: _('merge request'))
         expect(page).to have_css("div[data-testid='hidden'][title='#{tooltip}']")
         expect(page).to have_css('svg[data-testid="spam-icon"]')
       end
diff --git a/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb b/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb
index 41ec9a4483ec17..e7727fbb9dc875 100644
--- a/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb
+++ b/spec/features/merge_requests/admin_views_hidden_merge_requests_spec.rb
@@ -17,7 +17,8 @@
 
     it 'shows a hidden merge request icon' do
       page.within("#merge_request_#{merge_request.id}") do
-        tooltip = format(_('This %{issuable} is hidden because its author has been banned'), issuable: 'merge request')
+        tooltip = format(_('This %{issuable} is hidden because its author has been banned'),
+          issuable: _('merge request'))
         expect(page).to have_css("span[title='#{tooltip}']")
         expect(page).to have_css('svg[data-testid="spam-icon"]')
       end
diff --git a/spec/frontend/issuable/components/issuable_header_warnings_spec.js b/spec/frontend/issuable/components/issuable_header_warnings_spec.js
index 98a81478cb6d6b..99aa6778e1ef39 100644
--- a/spec/frontend/issuable/components/issuable_header_warnings_spec.js
+++ b/spec/frontend/issuable/components/issuable_header_warnings_spec.js
@@ -7,7 +7,7 @@ import createIssueStore from '~/notes/stores';
 import IssuableHeaderWarnings from '~/issuable/components/issuable_header_warnings.vue';
 
 const ISSUABLE_TYPE_ISSUE = 'issue';
-const ISSUABLE_TYPE_MR = 'merge request';
+const ISSUABLE_TYPE_MR = 'merge_request';
 
 Vue.use(Vuex);
 
@@ -85,7 +85,7 @@ describe('IssuableHeaderWarnings', () => {
 
           if (hiddenStatus) {
             expect(hiddenIcon.attributes('title')).toBe(
-              `This ${issuableType} is hidden because its author has been banned`,
+              `This ${issuableType.replace('_', ' ')} is hidden because its author has been banned`,
             );
             expect(getBinding(hiddenIcon.element, 'gl-tooltip')).not.toBeUndefined();
           }
-- 
GitLab