# frozen_string_literal: true # A note on the root of an issue, merge request, commit, or snippet. # # A note of this type is never resolvable. class Note < ApplicationRecord extend ActiveModel::Naming extend Gitlab::Utils::Override include Notes::ActiveRecord include Notes::Discussion include Gitlab::Utils::StrongMemoize include Participable include Mentionable include Awardable include Importable include Import::HasImportSource include FasterCacheKeys include Redactable include CacheMarkdownField include AfterCommitQueue include ResolvableNote include Editable include Gitlab::SQL::Pattern include ThrottledTouch include FromUnion include Sortable include EachBatch include Spammable ignore_column :attachment, remove_with: '18.1', remove_after: '2025-05-15' cache_markdown_field :note, pipeline: :note, issuable_reference_expansion_enabled: true redact_field :note TYPES_RESTRICTED_BY_PROJECT_ABILITY = { branch: :download_code }.freeze TYPES_RESTRICTED_BY_GROUP_ABILITY = { contact: :read_crm_contact }.freeze NON_DIFF_NOTE_TYPES = ['Note', 'DiscussionNote', nil].freeze # Attribute containing rendered and redacted Markdown as generated by # Banzai::ObjectRenderer. attr_accessor :redacted_note_html # Total of all references as generated by Banzai::ObjectRenderer attr_accessor :total_reference_count # Number of user visible references as generated by Banzai::ObjectRenderer attr_accessor :user_visible_reference_count # Attribute used to store the attributes that have been changed by quick actions. attr_writer :commands_changes # Attribute used to store the status of quick actions. attr_accessor :quick_actions_status # Attribute used to determine whether keep_around_commits will be skipped for diff notes. attr_accessor :skip_keep_around_commits # Attribute used to skip updates of `updated_at` for the noteable when it could impact database health. attr_accessor :skip_touch_noteable attribute :system, default: false attr_spammable :note, spam_description: true attr_mentionable :note, pipeline: :note participant :author belongs_to :namespace belongs_to :project belongs_to :noteable, polymorphic: true # rubocop:disable Cop/PolymorphicAssociations belongs_to :review, inverse_of: :notes # The delete_all definition is required here in order # to generate the correct DELETE sql for # suggestions.delete_all calls has_many :suggestions, -> { order(:relative_order) }, inverse_of: :note, dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent has_one :system_note_metadata has_one :note_metadata, inverse_of: :note, class_name: 'Notes::NoteMetadata' has_one :note_diff_file, inverse_of: :diff_note, foreign_key: :diff_note_id has_many :diff_note_positions # rubocop:disable Cop/ActiveRecordDependent -- polymorphic association has_many :events, as: :target, dependent: :delete_all # rubocop:enable Cop/ActiveRecordDependent delegate :gfm_reference, :local_reference, to: :noteable delegate :name, to: :project, prefix: true delegate :title, to: :noteable, allow_nil: true accepts_nested_attributes_for :note_metadata validates :project, presence: true, if: :for_project_noteable? validates :namespace, presence: true validates :noteable_type, presence: true validates :noteable_id, presence: true, unless: [:for_commit?, :importing?] validates :commit_id, presence: true, if: :for_commit? validate :ensure_noteable_can_have_confidential_note validate :ensure_note_type_can_be_confidential validate :ensure_confidentiality_not_changed, on: :update validate :ensure_confidentiality_discussion_compliance validate unless: [:for_commit?, :importing?, :skip_project_check?] do |note| unless note.noteable.try(:project) == note.project errors.add(:project, 'does not match noteable project') end end validate :does_not_exceed_notes_limit?, on: :create, unless: [:system?, :importing?] # Scopes scope :for_commit_id, ->(commit_id) { where(noteable_type: "Commit", commit_id: commit_id) } scope :system, -> { where(system: true) } scope :user, -> { where(system: false) } scope :not_internal, -> { where(internal: false) } scope :common, -> { where(noteable_type: ["", nil]) } scope :fresh, -> { order_created_asc.with_order_id_asc } scope :updated_after, ->(time) { where('updated_at > ?', time) } scope :with_suggestions, -> { joins(:suggestions) } scope :inc_author, -> { includes(:author) } scope :authored_by, ->(user) { where(author: user) } scope :inc_note_diff_file, -> { includes(:note_diff_file) } scope :with_api_entity_associations, -> { preload(:note_diff_file, :author) } scope :inc_relations_for_view, ->(noteable = nil) do relations = [ { project: :group }, { author: :status }, :updated_by, :resolved_by, :award_emoji, :note_metadata, :suggestions, { system_note_metadata: { description_version: [:issue, :merge_request] } } ] if noteable.nil? || DiffNote.noteable_types.include?(noteable.class.name) relations += [:note_diff_file, :diff_note_positions] end includes(relations) end scope :with_notes_filter, ->(notes_filter) do case notes_filter when UserPreference::NOTES_FILTERS[:only_comments] user when UserPreference::NOTES_FILTERS[:only_activity] system else all end end scope :diff_notes, -> { where(type: %w[LegacyDiffNote DiffNote]) } scope :new_diff_notes, -> { where(type: 'DiffNote') } scope :non_diff_notes, -> { where(type: NON_DIFF_NOTE_TYPES) } scope :with_associations, -> do # FYI noteable cannot be loaded for LegacyDiffNote for commits includes( :author, :noteable, :updated_by, project: [:project_members, :namespace, { group: [:group_members] }] ) end scope :with_metadata, -> { includes(:system_note_metadata) } scope :without_hidden, -> { where_not_exists(Users::BannedUser.where('notes.author_id = banned_users.user_id')) } scope :for_note_or_capitalized_note, ->(text) { where(note: [text, text.capitalize]) } scope :like_note_or_capitalized_note, ->(text) { where('(note LIKE ? OR note LIKE ?)', text, text.capitalize) } before_validation :ensure_namespace_id, :nullify_blank_type, :nullify_blank_line_code # Syncs `confidential` with `internal` as we rename the column. # https://gitlab.com/gitlab-org/gitlab/-/issues/367923 before_create :set_internal_flag after_save :keep_around_commit, if: :for_project_noteable?, unless: -> { importing? || skip_keep_around_commits } after_save :touch_noteable, if: :touch_noteable? after_commit :notify_after_create, on: :create after_commit :notify_after_destroy, on: :destroy after_commit :trigger_note_subscription_create, on: :create after_commit :trigger_note_subscription_update, on: :update after_commit :trigger_note_subscription_destroy, on: :destroy after_commit :broadcast_noteable_notes_changed, unless: :importing? def trigger_note_subscription_create return unless trigger_note_subscription? GraphqlTriggers.work_item_note_created(noteable.to_work_item_global_id, self) end def trigger_note_subscription_update return unless trigger_note_subscription? GraphqlTriggers.work_item_note_updated(noteable.to_work_item_global_id, self) end def trigger_note_subscription_destroy return unless trigger_note_subscription? # when deleting a note, we cannot pass it on as a Note instance, as GitlabSchema.object_from_id # would try to resolve the given Note and fetch it from DB which would raise NotFound exception. # So instead we just pass over the string representations of the note and discussion IDs, # so that the subscriber can identify the discussion and the note. deleted_note_data = { id: self.id, model_name: self.class.name, discussion_id: self.discussion_id, last_discussion_note: discussion.notes == [self] } GraphqlTriggers.work_item_note_deleted(noteable.to_work_item_global_id, deleted_note_data) end class << self extend Gitlab::Utils::Override def model_name ActiveModel::Name.new(self, nil, 'note') end def parent_object_field :noteable end # Group diff discussions by line code or file path. # It is not needed to group by line code when comment is # on an image. def grouped_diff_discussions(diff_refs = nil) groups = {} diff_notes.fresh.discussions.each do |discussion| group_key = if discussion.on_image? discussion.file_new_path else discussion.line_code_in_diffs(diff_refs) end if group_key discussions = groups[group_key] ||= [] discussions << discussion end end groups end def positions where.not(position: nil) .select(:id, :type, :position) # ActiveRecord needs id and type for typecasting. .map(&:position) end def count_for_collection(ids, type, count_column = 'COUNT(*) as count') user.select(:noteable_id, count_column) .group(:noteable_id) .where(noteable_type: type, noteable_id: ids) end def search(query) fuzzy_search(query, [:note]) end # Override the `Sortable` module's `.simple_sorts` to remove name sorting, # as a `Note` does not have any property that correlates to a "name". override :simple_sorts def simple_sorts super.except('name_asc', 'name_desc') end def cherry_picked_merge_requests(shas) where(noteable_type: 'MergeRequest', commit_id: shas).select(:noteable_id) end def with_web_entity_associations preload(:project, :author, :noteable) end end # rubocop: disable CodeReuse/ServiceClass def system_note_with_references? return unless system? if force_cross_reference_regex_check? matches_cross_reference_regex? else ::SystemNotes::IssuablesService.cross_reference?(note) end end # rubocop: enable CodeReuse/ServiceClass def diff_note? false end def active? true end def hook_attrs Gitlab::HookData::NoteBuilder.new(self).build end def supports_suggestion? false end def for_commit? noteable_type == "Commit" end def for_issue? noteable_type == "Issue" end def for_work_item? noteable.is_a?(WorkItem) end def for_merge_request? noteable_type == "MergeRequest" end def for_snippet? noteable_type == "Snippet" end def for_alert_mangement_alert? noteable_type == 'AlertManagement::Alert' end def for_vulnerability? noteable_type == "Vulnerability" end def for_project_snippet? noteable.is_a?(ProjectSnippet) end def for_personal_snippet? noteable.is_a?(PersonalSnippet) end def for_wiki_page? noteable_type == "WikiPage::Meta" end def for_project_noteable? !(for_personal_snippet? || for_abuse_report? || group_level_issue?) end def group_level_issue? (for_issue? || for_work_item?) && noteable&.project_id.blank? end def for_design? noteable_type == DesignManagement::Design.name end def for_issuable? for_issue? || for_merge_request? end def for_abuse_report? noteable_type == AbuseReport.name end def skip_project_check? !for_project_noteable? end def commit @commit ||= project.commit(commit_id) if commit_id.present? end # Notes on merge requests and commits can be traced back to one or several # MRs. This method returns a relation if the note is for one of these types, # or nil if it is a note on some other object. def merge_requests if for_commit? project.merge_requests.by_commit_sha(commit_id) elsif for_merge_request? MergeRequest.id_in(noteable_id) end end # override to return commits, which are not active record def noteable return commit if for_commit? super rescue StandardError # Temp fix to prevent app crash # if note commit id doesn't exist nil end # FIXME: Hack for polymorphic associations with STI # For more information visit http://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html#label-Polymorphic+Associations def noteable_type=(noteable_type) super(noteable_type.to_s.classify.constantize.base_class.to_s) end def contributor? project&.team&.contributor?(self.author_id) end def human_max_access project&.team&.human_max_access(self.author_id) end def noteable_author?(noteable) noteable.author == self.author end def project_name project&.name end def confidential?(include_noteable: false) return true if confidential include_noteable && noteable.try(:confidential?) end def editable? !system? end # We used `last_edited_at` as an alias of `updated_at` before. # This makes it compatible with the previous way without data migration. def last_edited_at super || updated_at end # Since we used `updated_at` as `last_edited_at`, it could be touched by transforming / resolving a note. # This makes sure it is only marked as edited when the note body is updated. def edited? return false if read_attribute(:last_edited_at).blank? && updated_by.blank? super end def award_emoji? can_be_award_emoji? && contains_emoji_only? end def emoji_awardable? !system? end def can_be_award_emoji? noteable.is_a?(Awardable) && !part_of_discussion? end def contains_emoji_only? note =~ /\A#{Banzai::Filter::EmojiFilter.emoji_pattern}\s?\Z/ end def noteable_ability_name if for_snippet? 'snippet' elsif for_alert_mangement_alert? 'alert_management_alert' elsif for_vulnerability? 'security_resource' elsif for_wiki_page? 'wiki_page' else noteable_type.demodulize.underscore end end def can_be_discussion_note? self.noteable.supports_discussions? && !part_of_discussion? && !system? end def can_create_todo? # Skip system notes, and notes on snippets !system? && !for_snippet? end def references refs = [noteable] if part_of_discussion? refs += discussion.notes.take_while { |n| n.id < id } end refs end def bump_updated_at # Instead of calling touch which is throttled via ThrottledTouch concern, # we bump the updated_at column directly. This also prevents executing # after_commit callbacks that we don't need. attributes_to_update = { updated_at: Time.current } # Notes that were edited before the `last_edited_at` column was added, fall back to `updated_at` for the edit time. # We copy this over to the correct column so we don't erroneously change the edit timestamp. if updated_by_id.present? && read_attribute(:last_edited_at).blank? attributes_to_update[:last_edited_at] = updated_at end update_columns(attributes_to_update) end def broadcast_noteable_notes_changed noteable&.broadcast_notes_changed end def touch(*args, **kwargs) # We're not using an explicit transaction here because this would in all # cases result in all future queries going to the primary, even if no writes # are performed. # # We touch the noteable first so its SELECT query can run before our writes, # ensuring it runs on a secondary (if no prior write took place). touch_noteable super end # By default Rails will issue an "SELECT *" for the relation, which is # overkill for just updating the timestamps. To work around this we manually # touch the data so we can SELECT only the columns we need. def touch_noteable # Commits are not stored in the DB so we can't touch them. # Vulnerabilities should not be touched as they are tracked in the same manner as other issuable types return if for_vulnerability? || for_commit? assoc = association(:noteable) noteable_object = if assoc.loaded? noteable else # If the object is not loaded (e.g. when notes are loaded async) we # _only_ want the data we actually need. assoc.scope.select(:id, :updated_at).take end noteable_object&.touch # We return the noteable object so we can re-use it in EE for Elasticsearch. noteable_object end def notify_after_create noteable&.after_note_created(self) end def notify_after_destroy noteable&.after_note_destroyed(self) end def banzai_render_context(field) additional_attributes = { noteable: noteable, system_note: system?, label_url_method: noteable_label_url_method } additional_attributes[:group] = namespace if namespace.is_a?(Group) super.merge(additional_attributes) end def retrieve_upload(_identifier, paths) Upload.find_by(model: self, path: paths) end def resource_parent noteable.try(:resource_parent) || project end def user_mentions return Note.none unless noteable.present? noteable.user_mentions.where(note: self) end def system_note_visible_for?(user) return true unless system? system_note_viewable_by?(user) && all_referenced_mentionables_allowed?(user) end def parent_user noteable.author if for_personal_snippet? end def skip_notification? review.present? || !author.can_trigger_notifications? end def post_processed_cache_key cache_key_items = [cache_key, author&.cache_key] cache_key_items << project.team.human_max_access(author&.id) if author.present? cache_key_items << Digest::SHA1.hexdigest(redacted_note_html) if redacted_note_html.present? cache_key_items.join(':') end override :user_mention_class def user_mention_class return if noteable.blank? noteable.user_mention_class end override :user_mention_identifier def user_mention_identifier return if noteable.blank? noteable.user_mention_identifier.merge({ note_id: id }) end def show_outdated_changes? return false unless for_merge_request? return false unless system? return false if change_position&.on_file? return false unless change_position&.line_range change_position.line_range["end"] || change_position.line_range["start"] end def commands_changes @commands_changes&.slice( :due_date, :label_ids, :remove_label_ids, :add_label_ids, :canonical_issue_id, :clone_with_notes, :confidential, :create_merge_request, :add_contacts, :remove_contacts, :assignee_ids, :milestone_id, :time_estimate, :spend_time, :discussion_locked, :merge, :rebase, :wip_event, :target_branch, :reviewer_ids, :health_status, :promote_to_epic, :weight, :emoji_award, :todo_event, :subscription_event, :state_event, :title, :tag_message, :tag_name ) end def mentioned_users(current_user = nil) users = super return users unless confidential? Ability.users_that_can_read_internal_notes(users, resource_parent) end def mentioned_filtered_user_ids_for(references) return super unless confidential? user_ids = references.mentioned_user_ids.presence return [] if user_ids.blank? users = User.where(id: user_ids) Ability.users_that_can_read_internal_notes(users, resource_parent).pluck(:id) end def issuable_ability_name confidential? ? :read_internal_note : :read_note end def exportable_record?(user) return true unless system? readable_by?(user) end # Override method defined in Spammable # Wildcard argument because user: argument is not used def check_for_spam?(*) return false if system? || !spammable_attribute_changed? || confidential? return false if noteable.try(:confidential?) == true || noteable.try(:public?) == false return false if noteable.try(:group)&.public? == false || project&.public? == false true end # Use attributes.keys instead of attribute_names to filter out the fields that are skipped during export: # # - note_html # - cached_markdown_version def attribute_names_for_serialization attributes.keys end private def touch_noteable? !importing? && !skip_touch_noteable end def trigger_note_subscription? for_issue? && noteable end def system_note_viewable_by?(user) return true unless system_note_metadata system_note_viewable_by_project_ability?(user) && system_note_viewable_by_group_ability?(user) end def system_note_viewable_by_project_ability?(user) project_restriction = TYPES_RESTRICTED_BY_PROJECT_ABILITY[system_note_metadata.action.to_sym] !project_restriction || Ability.allowed?(user, project_restriction, project) end def system_note_viewable_by_group_ability?(user) group_restriction = TYPES_RESTRICTED_BY_GROUP_ABILITY[system_note_metadata.action.to_sym] !group_restriction || Ability.allowed?(user, group_restriction, project&.group) end def keep_around_commit project.repository.keep_around(self.commit_id, source: "#{noteable_type}/#{self.class.name}") end def ensure_namespace_id return if namespace_id.present? && !noteable_changed? && !project_changed? self.namespace_id = if for_issue? # Some issues are not project noteables (e.g. group-level work items) # so we need this separate condition noteable&.namespace_id elsif for_project_noteable? project&.project_namespace_id elsif for_personal_snippet? noteable&.author&.namespace&.id end end def nullify_blank_type self.type = nil if self.type.blank? end def nullify_blank_line_code self.line_code = nil if self.line_code.blank? end def all_referenced_mentionables_allowed?(user) return true unless system_note_with_references? if user_visible_reference_count.present? && total_reference_count.present? # if they are not equal, then there are private/confidential references as well user_visible_reference_count > 0 && user_visible_reference_count == total_reference_count else refs = all_references(user) refs.all.present? && refs.all_visible? end end def force_cross_reference_regex_check? return unless system? system_note_metadata&.cross_reference_types&.include?(system_note_metadata&.action) end def does_not_exceed_notes_limit? return unless noteable notes_count = noteable.persisted? ? noteable.notes.count : noteable.notes.size errors.add(:base, _('Maximum number of comments exceeded')) if notes_count >= Noteable::MAX_NOTES_LIMIT end def noteable_label_url_method for_merge_request? ? :project_merge_requests_url : :project_issues_url end def ensure_confidentiality_not_changed return unless will_save_change_to_attribute?(:confidential) return unless attribute_change_to_be_saved(:confidential).include?(true) errors.add(:confidential, _('can not be changed for existing notes')) end def ensure_confidentiality_discussion_compliance return if start_of_discussion? if discussion.first_note.confidential? != confidential? errors.add(:confidential, _('reply should have same confidentiality as top-level note')) end ensure clear_memoization(:discussion) end def ensure_noteable_can_have_confidential_note return unless confidential? return if noteable_can_have_confidential_note? errors.add(:confidential, _('can not be set for this resource')) end def ensure_note_type_can_be_confidential return unless confidential? return if NON_DIFF_NOTE_TYPES.include?(type) errors.add(:confidential, _('can not be set for this type of note')) end def noteable_can_have_confidential_note? for_issuable? end def set_internal_flag self.internal = confidential if confidential end end Note.prepend_mod