diff options
author | Robert Speicher <robert@gitlab.com> | 2017-01-19 21:00:47 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-01-22 12:06:17 -0500 |
commit | 217411f3816d3e5092cdb6edaadb0987b061e564 (patch) | |
tree | bd1e0f768ab4cd4e7c54c393e62235256b836bcf | |
parent | 815882783a32482dc84f82e479b4e1f1552fca92 (diff) | |
download | gitlab-ce-217411f3816d3e5092cdb6edaadb0987b061e564.tar.gz |
Merge branch 'fix-guest-access-posting-to-notes' into 'security'
Prevent users from creating notes on resources they can't access
See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
-rw-r--r-- | changelogs/unreleased/fix-guest-access-posting-to-notes.yml | 4 | ||||
-rw-r--r-- | lib/api/notes.rb | 26 | ||||
-rw-r--r-- | spec/requests/api/notes_spec.rb | 12 |
3 files changed, 32 insertions, 10 deletions
diff --git a/changelogs/unreleased/fix-guest-access-posting-to-notes.yml b/changelogs/unreleased/fix-guest-access-posting-to-notes.yml new file mode 100644 index 00000000000..81377c0c6f0 --- /dev/null +++ b/changelogs/unreleased/fix-guest-access-posting-to-notes.yml @@ -0,0 +1,4 @@ +--- +title: Prevent users from creating notes on resources they can't access +merge_request: +author: diff --git a/lib/api/notes.rb b/lib/api/notes.rb index 284e4cf549a..4d2a8f48267 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -70,21 +70,27 @@ module API end post ":id/#{noteables_str}/:noteable_id/notes" do opts = { - note: params[:body], - noteable_type: noteables_str.classify, - noteable_id: params[:noteable_id] + note: params[:body], + noteable_type: noteables_str.classify, + noteable_id: params[:noteable_id] } - if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user) - opts[:created_at] = params[:created_at] - end + noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id]) + + if can?(current_user, noteable_read_ability_name(noteable), noteable) + if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user) + opts[:created_at] = params[:created_at] + end - note = ::Notes::CreateService.new(user_project, current_user, opts).execute + note = ::Notes::CreateService.new(user_project, current_user, opts).execute - if note.valid? - present note, with: Entities::const_get(note.class.name) + if note.valid? + present note, with: Entities::const_get(note.class.name) + else + not_found!("Note #{note.errors.messages}") + end else - not_found!("Note #{note.errors.messages}") + not_found!("Note") end end diff --git a/spec/requests/api/notes_spec.rb b/spec/requests/api/notes_spec.rb index 028f93c8561..f065da9ca61 100644 --- a/spec/requests/api/notes_spec.rb +++ b/spec/requests/api/notes_spec.rb @@ -264,6 +264,18 @@ describe API::Notes, api: true do end end + context 'when user does not have access to read the noteable' do + it 'responds with 404' do + project = create(:empty_project, :private) { |p| p.add_guest(user) } + issue = create(:issue, :confidential, project: project) + + post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), + body: 'Foo' + + expect(response).to have_http_status(404) + end + end + context 'when user does not have access to create noteable' do let(:private_issue) { create(:issue, project: create(:project, :private)) } |