Prevent award_emoji to notes not visible to user

When the parent noteable is not visible to the user (e.g. confidential)
we prevent the user from adding emoji reactions to notes

3 files changed, 8 insertions, 0 deletions

diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index f22843b6463..8d23e3abed3 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
+    prevent :award_emoji
   end
 
   rule { is_author }.policy do
diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
new file mode 100644
index 00000000000..3ad92578c44
--- /dev/null
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index 7e25c53e77c..0e848c74659 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
           expect(policy).to be_disallowed(:admin_note)
           expect(policy).to be_disallowed(:resolve_note)
           expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
         end
       end
 
@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
           expect(policy).to be_allowed(:admin_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
         end
       end
     end