implement scope for fetching restricted journals

app/components/work_packages/activities_tab/journals/index_component.rb

@@ -68,12 +68,10 @@ module WorkPackages
         end
 
         def fetch_journals
-          can_see_restricted = User.current.allowed_in_work_package?(:view_comments_with_restricted_visibility, work_package)
-
           API::V3::Activities::ActivityEagerLoadingWrapper.wrap(
             work_package
               .journals
-              .where(can_see_restricted ? nil : { restricted: false })
+              .restricted_visible(work_package)
               .includes(:user, :customizable_journals, :attachable_journals, :storable_journals, :notifications)
               .reorder(version: journal_sorting)
               .with_sequence_version

app/models/journal.rb

@@ -113,6 +113,13 @@ class Journal < ApplicationRecord
   scope :for_wiki_page, -> { where(journable_type: "WikiPage") }
   scope :for_work_package, -> { where(journable_type: "WorkPackage") }
   scope :for_meeting, -> { where(journable_type: "Meeting") }
+  scope :restricted_visible, ->(work_package) {
+    if User.current.allowed_in_work_package?(:view_comments_with_restricted_visibility, work_package)
+      all
+    else
+      where(restricted: false)
+    end
+  }
 
   # In conjunction with the included Comparable module, allows comparison of journal records
   # based on their corresponding version numbers, creation timestamps and IDs.

lib/api/v3/activities/activities_by_work_package_api.rb

@@ -36,10 +36,9 @@ module API
           get do
             self_link = api_v3_paths.work_package_activities @work_package.id
 
-            can_see_restricted = current_user.allowed_in_work_package?(:view_comments_with_restricted_visibility, @work_package)
             journals = @work_package
               .journals
-              .where(can_see_restricted ? nil : { restricted: false })
+              .restricted_visible(work_package)
               .includes(:data,
                         :customizable_journals,
                         :attachable_journals,

spec/models/journal_spec.rb

@@ -30,7 +30,7 @@ require "spec_helper"
 RSpec.describe Journal do
   describe "#journable" do
     it "raises no error on a new journal without a journable" do
-      expect(Journal.new.journable)
+      expect(described_class.new.journable)
         .to be_nil
     end
   end
@@ -68,4 +68,48 @@ RSpec.describe Journal do
       end
     end
   end
+
+  describe "#restricted_visible scope" do
+    let(:work_package) { create(:work_package) }
+    let(:admin) { create(:admin) }
+    let(:user) { create(:user) }
+    let!(:restricted_note) do
+      create(:work_package_journal,
+             user: admin,
+             notes: "First comment by admin",
+             journable: work_package,
+             restricted: true,
+             version: 2)
+    end
+
+    subject { described_class.restricted_visible(work_package) }
+
+    before do
+      login_as user
+    end
+
+    context "when the user cannot see restricted" do
+      before do
+        mock_permissions_for(user) do |mock|
+          mock.allow_in_work_package :view_work_packages, work_package:
+        end
+      end
+
+      it "does not return the restricted journal" do
+        expect(subject.map(&:id)).not_to include(restricted_note.id)
+      end
+    end
+
+    context "when the user can see restricted" do
+      before do
+        mock_permissions_for(user) do |mock|
+          mock.allow_in_work_package :view_comments_with_restricted_visibility, work_package:
+        end
+      end
+
+      it "returns the restricted journal" do
+        expect(subject.map(&:id)).to include(restricted_note.id)
+      end
+    end
+  end
 end