diff options
author | Heinrich Lee Yu <hleeyu@gmail.com> | 2019-01-16 02:53:24 +0800 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-31 16:52:48 +0100 |
commit | 35b8f103a87811e0a825773aad3e3d04ee85fa9e (patch) | |
tree | 904b43a964b34922562589318d74316b14980629 /app | |
parent | 1549039602dd88fa4f33b0c3f82861ab9bdd7669 (diff) | |
download | gitlab-ce-35b8f103a87811e0a825773aad3e3d04ee85fa9e.tar.gz |
Prevent comments by email when issue is locked
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.
Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
Diffstat (limited to 'app')
-rw-r--r-- | app/policies/issue_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/personal_snippet_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/project_snippet_policy.rb | 2 | ||||
-rw-r--r-- | app/services/notes/build_service.rb | 15 |
4 files changed, 9 insertions, 14 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index a0706eaa46c..dd8c5d49cf4 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -18,6 +18,7 @@ class IssuePolicy < IssuablePolicy prevent :read_issue_iid prevent :update_issue prevent :admin_issue + prevent :create_note end rule { locked }.policy do diff --git a/app/policies/personal_snippet_policy.rb b/app/policies/personal_snippet_policy.rb index 040b5a73415..2b5cca76c20 100644 --- a/app/policies/personal_snippet_policy.rb +++ b/app/policies/personal_snippet_policy.rb @@ -28,7 +28,10 @@ class PersonalSnippetPolicy < BasePolicy rule { anonymous }.prevent :comment_personal_snippet - rule { can?(:comment_personal_snippet) }.enable :award_emoji + rule { can?(:comment_personal_snippet) }.policy do + enable :create_note + enable :award_emoji + end rule { full_private_access }.enable :read_personal_snippet end diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 7dafa33bb99..e5e005cee6d 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -43,4 +43,6 @@ class ProjectSnippetPolicy < BasePolicy enable :update_project_snippet enable :admin_project_snippet end + + rule { ~can?(:read_project_snippet) }.prevent :create_note end diff --git a/app/services/notes/build_service.rb b/app/services/notes/build_service.rb index 7b92fe6fe14..bae98ede561 100644 --- a/app/services/notes/build_service.rb +++ b/app/services/notes/build_service.rb @@ -9,7 +9,7 @@ module Notes if in_reply_to_discussion_id.present? discussion = find_discussion(in_reply_to_discussion_id) - unless discussion + unless discussion && can?(current_user, :create_note, discussion.noteable) note = Note.new note.errors.add(:base, 'Discussion to reply to cannot be found') return note @@ -34,19 +34,8 @@ module Notes if project project.notes.find_discussion(discussion_id) else - discussion = Note.find_discussion(discussion_id) - noteable = discussion.noteable - - return nil unless noteable_without_project?(noteable) - - discussion + Note.find_discussion(discussion_id) end end - - def noteable_without_project?(noteable) - return true if noteable.is_a?(PersonalSnippet) && can?(current_user, :comment_personal_snippet, noteable) - - false - end end end |