diff options
author | Nick Thomas <nick@gitlab.com> | 2019-08-22 16:05:07 +0100 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-08-23 12:47:54 +0100 |
commit | 642f6b38169c5805676f061708d25137f4cc986e (patch) | |
tree | 0fa7b94a595164c0b8e8338850bc7d4f4c0aa811 /app/services/todo_service.rb | |
parent | f7f3b3c3efd58f31ed422808722b0c81a0bf1064 (diff) | |
download | gitlab-ce-642f6b38169c5805676f061708d25137f4cc986e.tar.gz |
Send TODOs for comments on commits correctly
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
Diffstat (limited to 'app/services/todo_service.rb')
-rw-r--r-- | app/services/todo_service.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb index 0ea230a44a1..b1256df35d6 100644 --- a/app/services/todo_service.rb +++ b/app/services/todo_service.rb @@ -314,11 +314,9 @@ class TodoService end def reject_users_without_access(users, parent, target) - if target.is_a?(Note) && target.for_issuable? - target = target.noteable - end + target = target.noteable if target.is_a?(Note) - if target.is_a?(Issuable) + if target.respond_to?(:to_ability_name) select_users(users, :"read_#{target.to_ability_name}", target) else select_users(users, :read_project, parent) |