diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:50:21 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:50:23 +0000 |
commit | 0d22b9b88888d7c339cd678c3baaa83c25c7ccd7 (patch) | |
tree | 1a6f591a010ef8b204a43cd8c756cb48b208b1ee | |
parent | 52a93abb838105fb6eb4cb130161d7db2bb6f9c6 (diff) | |
download | gitlab-ce-0d22b9b88888d7c339cd678c3baaa83c25c7ccd7.tar.gz |
Merge branch 'security-do-not-process-mr-ref-for-guests-11-6' into 'security-11-6'
[11.6] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2782
(cherry picked from commit ee0f107791921dec7a6e3d43fe45ebef43d864be)
6e10237d Don't process MR refs for guests in the notes
-rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml | 5 | ||||
-rw-r--r-- | spec/policies/project_policy_spec.rb | 12 |
3 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 4f54a66680a..d1d1737dc22 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -390,7 +390,7 @@ class ProjectPolicy < BasePolicy end.enable :read_issue_iid rule do - (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) + (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) end.enable :read_merge_request_iid private diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 4191e4b18d3..8dc320737aa 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -12,7 +12,7 @@ describe ProjectPolicy do let(:base_guest_permissions) do %i[ read_project read_board read_list read_wiki read_issue - read_project_for_iids read_issue_iid read_merge_request_iid read_label + read_project_for_iids read_issue_iid read_label read_milestone read_project_snippet read_project_member read_note create_project create_issue create_note upload_file create_merge_request_in award_emoji @@ -164,6 +164,16 @@ describe ProjectPolicy do end end + context 'for a guest in a private project' do + let(:project) { create(:project, :private) } + subject { described_class.new(guest, project) } + + it 'disallows the guest from reading the merge request and merge request iid' do + expect_disallowed(:read_merge_request) + expect_disallowed(:read_merge_request_iid) + end + end + context 'builds feature' do context 'when builds are disabled' do subject { described_class.new(owner, project) } |