diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:47:40 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:47:43 +0000 |
commit | 2692cee68bb961019e555168a55f729a7e125095 (patch) | |
tree | 5d8b5e989bade9ff727c7386b951ba39d9808fff | |
parent | 9128a397824d6e402bc5098fc5427c8280604881 (diff) | |
download | gitlab-ce-2692cee68bb961019e555168a55f729a7e125095.tar.gz |
Merge branch 'security-2776-fix-add-reaction-permissions-11-6' into 'security-11-6'
[11.6] Revoke award_emoji permissions for confidential issues
See merge request gitlab/gitlabhq!2850
(cherry picked from commit f645472619fe1e1ec4fdaa02010408d548287efb)
47d86827 Prevent award_emoji to notes not visible to user
-rw-r--r-- | app/policies/note_policy.rb | 1 | ||||
-rw-r--r-- | changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml | 5 | ||||
-rw-r--r-- | spec/policies/note_policy_spec.rb | 2 |
3 files changed, 8 insertions, 0 deletions
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index f22843b6463..8d23e3abed3 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -18,6 +18,7 @@ class NotePolicy < BasePolicy prevent :read_note prevent :admin_note prevent :resolve_note + prevent :award_emoji end rule { is_author }.policy do diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml new file mode 100644 index 00000000000..3ad92578c44 --- /dev/null +++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent awarding emojis to notes whose parent is not visible to user +merge_request: +author: +type: security diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index 7e25c53e77c..0e848c74659 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do expect(policy).to be_disallowed(:admin_note) expect(policy).to be_disallowed(:resolve_note) expect(policy).to be_disallowed(:read_note) + expect(policy).to be_disallowed(:award_emoji) end end @@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do expect(policy).to be_allowed(:admin_note) expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:read_note) + expect(policy).to be_allowed(:award_emoji) end end end |