diff options
| author | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-06-04 23:30:54 -0400 |
|---|---|---|
| committer | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-08-07 03:22:26 +0100 |
| commit | 39e400e29a8d8f32e0ac2cb74d504d53885d67bc (patch) | |
| tree | 5d272e61c97b701ecc263fecf6428deb684179f9 /app/policies | |
| parent | 34d086f3e14eecf3bfdcf766f7b3499bd3aad47b (diff) | |
| download | gitlab-ce-39e400e29a8d8f32e0ac2cb74d504d53885d67bc.tar.gz | |
Prevent unauthorised comments on merge requests
* Prevent creating notes on inaccessible MRs
This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.
* Prevent creating notes in inaccessible Issues
without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.
* Add CHANGELOG entry
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/issue_policy.rb | 9 | ||||
| -rw-r--r-- | app/policies/merge_request_policy.rb | 6 |
2 files changed, 11 insertions, 4 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index dd8c5d49cf4..fa252af55e4 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -5,6 +5,8 @@ class IssuePolicy < IssuablePolicy # Make sure to sync this class checks with issue.rb to avoid security problems. # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information. + extend ProjectPolicy::ClassMethods + desc "User can read confidential issues" condition(:can_read_confidential) do @user && IssueCollection.new([@subject]).visible_to(@user).any? @@ -14,13 +16,12 @@ class IssuePolicy < IssuablePolicy condition(:confidential, scope: :subject) { @subject.confidential? } rule { confidential & ~can_read_confidential }.policy do - prevent :read_issue + prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid - prevent :update_issue - prevent :admin_issue - prevent :create_note end + rule { ~can?(:read_issue) }.prevent :create_note + rule { locked }.policy do prevent :reopen_issue end diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index a3692857ff4..5ad7bdabdff 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy rule { locked }.policy do prevent :reopen_merge_request end + + # Only users who can read the merge request can comment. + # Although :read_merge_request is computed in the policy context, + # it would not be safe to prevent :create_note there, since + # note permissions are shared, and this would apply too broadly. + rule { ~can?(:read_merge_request) }.prevent :create_note end |