Correctly check permissions when creating snippet notes

In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.

This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.

1 files changed, 6 insertions, 2 deletions

diff --git a/app/controllers/snippets/notes_controller.rb b/app/controllers/snippets/notes_controller.rb
index eee14b0faf4..612897f27e6 100644
--- a/app/controllers/snippets/notes_controller.rb
+++ b/app/controllers/snippets/notes_controller.rb
@@ -5,8 +5,8 @@ class Snippets::NotesController < ApplicationController
   include ToggleAwardEmoji
 
   skip_before_action :authenticate_user!, only: [:index]
-  before_action :snippet
-  before_action :authorize_read_snippet!, only: [:show, :index, :create]
+  before_action :authorize_read_snippet!, only: [:show, :index]
+  before_action :authorize_create_note!, only: [:create]
 
   private
 
@@ -33,4 +33,8 @@ class Snippets::NotesController < ApplicationController
   def authorize_read_snippet!
     return render_404 unless can?(current_user, :read_personal_snippet, snippet)
   end
+
+  def authorize_create_note!
+    access_denied! unless can?(current_user, :create_note, noteable)
+  end
 end