Merge branch 'security-53543-user-keeps-access-to-mr-issue-when-removed-from-team' into 'master'

[master] Adds validation to check if user can read project See merge request gitlab/gitlabhq!2645
author: John Jarvis <jarv@gitlab.com> 2019-01-01 20:38:54 +0000
committer: John Jarvis <jarv@gitlab.com> 2019-01-01 20:38:54 +0000
commit: ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (patch)
tree: 21ccbfaf52dc63f7b58211eec27faa2a7f5d28b2 /app/policies
parent: 3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (diff)
parent: 52feca595a3311fc12a6f35191a24ff61c33e440 (diff)
download: gitlab-ce-ec4ade500e5eb7060b4b79f6bed2f474ce03a851.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 6d8b575102e..ecb2797d1d9 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -11,7 +11,7 @@ class IssuablePolicy < BasePolicy
     @user && @subject.assignee_or_author?(@user)
   end
 
-  rule { assignee_or_author }.policy do
+  rule { can?(:guest_access) & assignee_or_author }.policy do
     enable :read_issue
     enable :update_issue
     enable :reopen_issue
author	John Jarvis <jarv@gitlab.com>	2019-01-01 20:38:54 +0000
committer	John Jarvis <jarv@gitlab.com>	2019-01-01 20:38:54 +0000
commit	ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (patch)
tree	21ccbfaf52dc63f7b58211eec27faa2a7f5d28b2 /app/policies
parent	3fca973e339e9bbf7a2e993bb36e0d800d4e1041 (diff)
parent	52feca595a3311fc12a6f35191a24ff61c33e440 (diff)
download	gitlab-ce-ec4ade500e5eb7060b4b79f6bed2f474ce03a851.tar.gz