Prevent unauthorised comments on merge requests

* Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry
author: Alex Kalderimis <alex.kalderimis@gmail.com> 2019-06-04 23:30:54 -0400
committer: Alex Kalderimis <alex.kalderimis@gmail.com> 2019-08-07 03:26:23 +0100
commit: e640de75188ad468c8ae973174b94490d193505c (patch)
tree: 7f1ddecf60254b07d43af0a2a7a627e7cb4d4591 /changelogs
parent: b80c6d473cecdf4415a24d63afea76e15721cfb4 (diff)
download: gitlab-ce-e640de75188ad468c8ae973174b94490d193505c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
new file mode 100644
index 00000000000..ba970162447
--- /dev/null
+++ b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
@@ -0,0 +1,3 @@
+---
+title: Ensure only authorised users can create notes on Merge Requests and Issues
+type: security
author	Alex Kalderimis <alex.kalderimis@gmail.com>	2019-06-04 23:30:54 -0400
committer	Alex Kalderimis <alex.kalderimis@gmail.com>	2019-08-07 03:26:23 +0100
commit	e640de75188ad468c8ae973174b94490d193505c (patch)
tree	7f1ddecf60254b07d43af0a2a7a627e7cb4d4591 /changelogs
parent	b80c6d473cecdf4415a24d63afea76e15721cfb4 (diff)
download	gitlab-ce-e640de75188ad468c8ae973174b94490d193505c.tar.gz