summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorValery Sizov <valery@gitlab.com>2015-12-10 14:36:31 +0200
committerValery Sizov <valery@gitlab.com>2015-12-10 14:39:37 +0200
commite3ee46a13b91a6cefb0efb1841fb24afed37b674 (patch)
tree567e66fbb0a3ecdc81a1a88509d4f8601161fd1e
parentbdc62d704c79b8f4e39dc7b5660b8d657a434895 (diff)
downloadgitlab-ce-e3ee46a13b91a6cefb0efb1841fb24afed37b674.tar.gz
Don't allow to edit award emoji commentsemoji_edit_disallow
-rw-r--r--CHANGELOG1
-rw-r--r--app/models/note.rb2
-rw-r--r--spec/models/note_spec.rb17
3 files changed, 19 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 144b3487714..776f86c0e07 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -27,6 +27,7 @@ v 8.3.0 (unreleased)
- Improve wording on project visibility levels (Zeger-Jan van de Weg)
- Automatically select default clone protocol based on user preferences (Eirik Lygre)
- Make Network page as sub tab of Commits
+ - Prevent possible XSS attack with award-emoji
v 8.2.3
- Fix application settings cache not expiring after changes (Stan Hu)
diff --git a/app/models/note.rb b/app/models/note.rb
index 98c29ddc4cd..0f7efc2f2ab 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -350,7 +350,7 @@ class Note < ActiveRecord::Base
end
def editable?
- !system?
+ !system? && !is_award
end
# Checks if note is an award added as a comment
diff --git a/spec/models/note_spec.rb b/spec/models/note_spec.rb
index cd3c868ecc5..5b6f177ebb2 100644
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -142,4 +142,21 @@ describe Note, models: true do
expect(Note.grouped_awards.first.last).to match_array(Note.all)
end
end
+
+ describe "editable?" do
+ it "returns true" do
+ note = build(:note)
+ expect(note.editable?).to be_truthy
+ end
+
+ it "returns false" do
+ note = build(:note, system: true)
+ expect(note.editable?).to be_falsy
+ end
+
+ it "returns false" do
+ note = build(:note, is_award: true, note: "smiley")
+ expect(note.editable?).to be_falsy
+ end
+ end
end