Merge branch 'security-2853-prevent-comments-on-private-mrs' into 'master'

Ensure only authorised users can create notes on merge requests and issues

See merge request gitlab/gitlabhq!3137

2 files changed, 11 insertions, 4 deletions

diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index dd8c5d49cf4..fa252af55e4 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -5,6 +5,8 @@ class IssuePolicy < IssuablePolicy
   # Make sure to sync this class checks with issue.rb to avoid security problems.
   # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.
 
+  extend ProjectPolicy::ClassMethods
+
   desc "User can read confidential issues"
   condition(:can_read_confidential) do
     @user && IssueCollection.new([@subject]).visible_to(@user).any?
@@ -14,13 +16,12 @@ class IssuePolicy < IssuablePolicy
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
   rule { confidential & ~can_read_confidential }.policy do
-    prevent :read_issue
+    prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid
-    prevent :update_issue
-    prevent :admin_issue
-    prevent :create_note
   end
 
+  rule { ~can?(:read_issue) }.prevent :create_note
+
   rule { locked }.policy do
     prevent :reopen_issue
   end
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index a3692857ff4..5ad7bdabdff 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy
   rule { locked }.policy do
     prevent :reopen_merge_request
   end
+
+  # Only users who can read the merge request can comment.
+  # Although :read_merge_request is computed in the policy context,
+  # it would not be safe to prevent :create_note there, since
+  # note permissions are shared, and this would apply too broadly.
+  rule { ~can?(:read_merge_request) }.prevent :create_note
 end