diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-01-19 21:00:47 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2017-01-20 12:37:09 -0500 |
| commit | f585255894663138775ef9ec45b8fab0ef13aa52 (patch) | |
| tree | 7f89f79ffe32cd09e20fd6009914c535986fa267 | |
| parent | c92bee65caa260429d917d24424c123290c5f5d8 (diff) | |
| download | gitlab-ce-f585255894663138775ef9ec45b8fab0ef13aa52.tar.gz | |
Merge branch 'fix-guest-access-posting-to-notes' into 'security'
Prevent users from creating notes on resources they can't access
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
| -rw-r--r-- | changelogs/unreleased/fix-guest-access-posting-to-notes.yml | 4 | ||||
| -rw-r--r-- | lib/api/notes.rb | 26 | ||||
| -rw-r--r-- | spec/requests/api/notes_spec.rb | 12 |
3 files changed, 32 insertions, 10 deletions
diff --git a/changelogs/unreleased/fix-guest-access-posting-to-notes.yml b/changelogs/unreleased/fix-guest-access-posting-to-notes.yml new file mode 100644 index 00000000000..81377c0c6f0 --- /dev/null +++ b/changelogs/unreleased/fix-guest-access-posting-to-notes.yml @@ -0,0 +1,4 @@ +--- +title: Prevent users from creating notes on resources they can't access +merge_request: +author: diff --git a/lib/api/notes.rb b/lib/api/notes.rb index b255b47742b..34f7b6a367e 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -70,21 +70,27 @@ module API required_attributes! [:body] opts = { - note: params[:body], - noteable_type: noteables_str.classify, - noteable_id: params[:noteable_id] + note: params[:body], + noteable_type: noteables_str.classify, + noteable_id: params[:noteable_id] } - if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user) - opts[:created_at] = params[:created_at] - end + noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id]) + + if can?(current_user, noteable_read_ability_name(noteable), noteable) + if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user) + opts[:created_at] = params[:created_at] + end - note = ::Notes::CreateService.new(user_project, current_user, opts).execute + note = ::Notes::CreateService.new(user_project, current_user, opts).execute - if note.valid? - present note, with: Entities::const_get(note.class.name) + if note.valid? + present note, with: Entities::const_get(note.class.name) + else + not_found!("Note #{note.errors.messages}") + end else - not_found!("Note #{note.errors.messages}") + not_found!("Note") end end diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb index b71a4c5a56e..62d01d2762c 100644 --- a/spec/requests/api/notes_spec.rb +++ b/spec/requests/api/notes_spec.rb @@ -264,6 +264,18 @@ describe API::API, api: true do end end + context 'when user does not have access to read the noteable' do + it 'responds with 404' do + project = create(:empty_project, :private) { |p| p.add_guest(user) } + issue = create(:issue, :confidential, project: project) + + post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), + body: 'Foo' + + expect(response).to have_http_status(404) + end + end + context 'when user does not have access to create noteable' do let(:private_issue) { create(:issue, project: create(:project, :private)) } |