diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-29 08:21:48 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-04-29 08:22:13 +0000 |
commit | 6c85cb2ff17cf4ea34372e84ef579734fd607cec (patch) | |
tree | 849664d342d73d66233b4bf0b281bfa10acbb180 | |
parent | 4c4f653296e104566d2dd9a330b460c7ddc8cfc5 (diff) | |
download | gitlab-ce-6c85cb2ff17cf4ea34372e84ef579734fd607cec.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
-rw-r--r-- | app/services/todo_service.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/markdown_cache.rb | 4 | ||||
-rw-r--r-- | spec/services/todo_service_spec.rb | 12 |
3 files changed, 14 insertions, 4 deletions
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb index 64309c7f786..14cf264cc51 100644 --- a/app/services/todo_service.rb +++ b/app/services/todo_service.rb @@ -369,8 +369,6 @@ class TodoService end def reject_users_without_access(users, parent, target) - target = target.noteable if target.is_a?(Note) - if target.respond_to?(:to_ability_name) select_users(users, :"read_#{target.to_ability_name}", target) else diff --git a/lib/gitlab/markdown_cache.rb b/lib/gitlab/markdown_cache.rb index d6371732624..283502d90c1 100644 --- a/lib/gitlab/markdown_cache.rb +++ b/lib/gitlab/markdown_cache.rb @@ -11,8 +11,8 @@ module Gitlab # this if the change to the renderer output is a new feature or a # minor bug fix. # See: https://gitlab.com/gitlab-org/gitlab/-/issues/330313 - CACHE_COMMONMARK_VERSION = 29 - CACHE_COMMONMARK_VERSION_START = 10 + CACHE_COMMONMARK_VERSION = 30 + CACHE_COMMONMARK_VERSION_START = 10 BaseError = Class.new(StandardError) UnsupportedClassError = Class.new(BaseError) diff --git a/spec/services/todo_service_spec.rb b/spec/services/todo_service_spec.rb index 6e10d0281b7..e4582e19416 100644 --- a/spec/services/todo_service_spec.rb +++ b/spec/services/todo_service_spec.rb @@ -391,6 +391,7 @@ RSpec.describe TodoService do let!(:second_todo) { create(:todo, :assigned, user: john_doe, project: project, target: issue, author: author) } let(:confidential_issue) { create(:issue, :confidential, project: project, author: author, assignees: [assignee]) } let(:note) { create(:note, project: project, noteable: issue, author: john_doe, note: mentions) } + let(:confidential_note) { create(:note, :confidential, project: project, noteable: issue, author: john_doe, note: mentions) } let(:addressed_note) { create(:note, project: project, noteable: issue, author: john_doe, note: directly_addressed) } let(:note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: mentions) } let(:addressed_note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: directly_addressed) } @@ -468,6 +469,17 @@ RSpec.describe TodoService do should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue) end + it 'does not create todo if user can not read confidential note' do + service.new_note(confidential_note, john_doe) + + should_not_create_todo(user: non_member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + should_not_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + should_create_todo(user: member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + should_create_todo(user: author, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + should_create_todo(user: assignee, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + should_create_todo(user: john_doe, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note) + end + context 'commits' do let(:base_commit_todo_attrs) { { target_id: nil, target_type: 'Commit', author: john_doe } } |