summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-29 21:34:27 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-29 21:34:27 +0000
commit21b5239a0016796f1e2b60955f47c7daea318208 (patch)
treea687a9648a219949ace56711990231d2cb779ed3 /app/policies
parent5a008d136840b5c7fd5688060efa73dd1b5491ab (diff)
parentd30a90a354f3dc015093d80f9de9dc15b38ff2a0 (diff)
downloadgitlab-ce-21b5239a0016796f1e2b60955f47c7daea318208.tar.gz
Merge branch 'security-2853-prevent-comments-on-private-mrs' into 'master'
Ensure only authorised users can create notes on merge requests and issues See merge request gitlab/gitlabhq!3137
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/issue_policy.rb9
-rw-r--r--app/policies/merge_request_policy.rb6
2 files changed, 11 insertions, 4 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index dd8c5d49cf4..fa252af55e4 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -5,6 +5,8 @@ class IssuePolicy < IssuablePolicy
# Make sure to sync this class checks with issue.rb to avoid security problems.
# Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.
+ extend ProjectPolicy::ClassMethods
+
desc "User can read confidential issues"
condition(:can_read_confidential) do
@user && IssueCollection.new([@subject]).visible_to(@user).any?
@@ -14,13 +16,12 @@ class IssuePolicy < IssuablePolicy
condition(:confidential, scope: :subject) { @subject.confidential? }
rule { confidential & ~can_read_confidential }.policy do
- prevent :read_issue
+ prevent(*create_read_update_admin_destroy(:issue))
prevent :read_issue_iid
- prevent :update_issue
- prevent :admin_issue
- prevent :create_note
end
+ rule { ~can?(:read_issue) }.prevent :create_note
+
rule { locked }.policy do
prevent :reopen_issue
end
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index a3692857ff4..5ad7bdabdff 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy
rule { locked }.policy do
prevent :reopen_merge_request
end
+
+ # Only users who can read the merge request can comment.
+ # Although :read_merge_request is computed in the policy context,
+ # it would not be safe to prevent :create_note there, since
+ # note permissions are shared, and this would apply too broadly.
+ rule { ~can?(:read_merge_request) }.prevent :create_note
end