diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:53:18 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:53:18 +0000 |
commit | 42902b2fcba875241edca5ed5b24c6eb8108b4d0 (patch) | |
tree | 56ed32824607102e5c11ab0ca9da79acf5e93187 /app | |
parent | 7224fd1cc5bda5aa5b0e822f7e5eba66b8d87012 (diff) | |
parent | e82f50d0e5c2aecb8041ad73cba0a571cf5f38a7 (diff) | |
download | gitlab-ce-42902b2fcba875241edca5ed5b24c6eb8108b4d0.tar.gz |
Merge branch 'security-12630-private-system-note-disclosed-in-graphql-12-3-ce' into '12-3-stable'
Add policy check if cross reference system notes are accessible
See merge request gitlab/gitlabhq!3426
Diffstat (limited to 'app')
-rw-r--r-- | app/models/discussion.rb | 1 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 9 |
2 files changed, 10 insertions, 0 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb index dd896f77084..0d066d0d99f 100644 --- a/app/models/discussion.rb +++ b/app/models/discussion.rb @@ -18,6 +18,7 @@ class Discussion :for_merge_request?, :to_ability_name, :editable?, + :visible_for?, to: :first_note diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 8d23e3abed3..b2af6c874c7 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -11,6 +11,8 @@ class NotePolicy < BasePolicy condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + condition(:is_visible) { @subject.visible_for?(@user) } + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes @@ -27,6 +29,13 @@ class NotePolicy < BasePolicy enable :resolve_note end + rule { ~is_visible }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + prevent :award_emoji + end + rule { is_noteable_author }.policy do enable :resolve_note end |