diff options
author | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-06-04 23:30:54 -0400 |
---|---|---|
committer | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-08-07 03:04:33 +0100 |
commit | d30a90a354f3dc015093d80f9de9dc15b38ff2a0 (patch) | |
tree | 3801475fb39956a6cc73598518b5bc6a7afbb3b1 /app/policies | |
parent | 1dfbb27f6e8d01023564eededff2a0ba1a04badc (diff) | |
download | gitlab-ce-d30a90a354f3dc015093d80f9de9dc15b38ff2a0.tar.gz |
Prevent unauthorised comments on merge requests
* Prevent creating notes on inaccessible MRs
This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.
* Prevent creating notes in inaccessible Issues
without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.
* Add CHANGELOG entry
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/issue_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/merge_request_policy.rb | 6 |
2 files changed, 11 insertions, 4 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index dd8c5d49cf4..fa252af55e4 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -5,6 +5,8 @@ class IssuePolicy < IssuablePolicy # Make sure to sync this class checks with issue.rb to avoid security problems. # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information. + extend ProjectPolicy::ClassMethods + desc "User can read confidential issues" condition(:can_read_confidential) do @user && IssueCollection.new([@subject]).visible_to(@user).any? @@ -14,13 +16,12 @@ class IssuePolicy < IssuablePolicy condition(:confidential, scope: :subject) { @subject.confidential? } rule { confidential & ~can_read_confidential }.policy do - prevent :read_issue + prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid - prevent :update_issue - prevent :admin_issue - prevent :create_note end + rule { ~can?(:read_issue) }.prevent :create_note + rule { locked }.policy do prevent :reopen_issue end diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index a3692857ff4..5ad7bdabdff 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy rule { locked }.policy do prevent :reopen_merge_request end + + # Only users who can read the merge request can comment. + # Although :read_merge_request is computed in the policy context, + # it would not be safe to prevent :create_note there, since + # note permissions are shared, and this would apply too broadly. + rule { ~can?(:read_merge_request) }.prevent :create_note end |