diff options
author | Alexandru Croitor <acroitor@gitlab.com> | 2019-09-18 11:26:20 +0300 |
---|---|---|
committer | Alexandru Croitor <acroitor@gitlab.com> | 2019-09-25 11:56:19 +0300 |
commit | c01ad00ebd7e6f5979e426b735582632d54f36f8 (patch) | |
tree | 1f1aee9dda0767acbbcaa63cbf25996dec3049a7 /app | |
parent | 0be35b492ea2c2f447c11c7b94e81da0db7a7d56 (diff) | |
download | gitlab-ce-c01ad00ebd7e6f5979e426b735582632d54f36f8.tar.gz |
Add policy check if cross reference system notes are accessible
Diffstat (limited to 'app')
-rw-r--r-- | app/models/discussion.rb | 1 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 9 |
2 files changed, 10 insertions, 0 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb index dd896f77084..0d066d0d99f 100644 --- a/app/models/discussion.rb +++ b/app/models/discussion.rb @@ -18,6 +18,7 @@ class Discussion :for_merge_request?, :to_ability_name, :editable?, + :visible_for?, to: :first_note diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 8d23e3abed3..b2af6c874c7 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -11,6 +11,8 @@ class NotePolicy < BasePolicy condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + condition(:is_visible) { @subject.visible_for?(@user) } + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes @@ -27,6 +29,13 @@ class NotePolicy < BasePolicy enable :resolve_note end + rule { ~is_visible }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + prevent :award_emoji + end + rule { is_noteable_author }.policy do enable :resolve_note end |