Add policy check if cross reference system notes are accessible

author: Alexandru Croitor <acroitor@gitlab.com> 2019-09-18 11:26:20 +0300
committer: Yorick Peterse <yorick@yorickpeterse.com> 2019-09-30 14:22:05 +0200
commit: c99402c05f18c6ca8dd7b64c59527abe1e6e80d4 (patch)
tree: 486679c27fb41fdf9d729b7277b98237841590ab /app/policies/note_policy.rb
parent: e5fdd91318c590753cf0f920a2cf9b1a530e96f8 (diff)
download: gitlab-ce-c99402c05f18c6ca8dd7b64c59527abe1e6e80d4.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 8d23e3abed3..b2af6c874c7 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -11,6 +11,8 @@ class NotePolicy < BasePolicy
 
   condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") }
 
+  condition(:is_visible) { @subject.visible_for?(@user) }
+
   rule { ~editable }.prevent :admin_note
 
   # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -27,6 +29,13 @@ class NotePolicy < BasePolicy
     enable :resolve_note
   end
 
+  rule { ~is_visible }.policy do
+    prevent :read_note
+    prevent :admin_note
+    prevent :resolve_note
+    prevent :award_emoji
+  end
+
   rule { is_noteable_author }.policy do
     enable :resolve_note
   end
author	Alexandru Croitor <acroitor@gitlab.com>	2019-09-18 11:26:20 +0300
committer	Yorick Peterse <yorick@yorickpeterse.com>	2019-09-30 14:22:05 +0200
commit	c99402c05f18c6ca8dd7b64c59527abe1e6e80d4 (patch)
tree	486679c27fb41fdf9d729b7277b98237841590ab /app/policies/note_policy.rb
parent	e5fdd91318c590753cf0f920a2cf9b1a530e96f8 (diff)
download	gitlab-ce-c99402c05f18c6ca8dd7b64c59527abe1e6e80d4.tar.gz