Send TODOs for comments on commits correctly

At present, the TodoService uses the `:read_project` ability to decide whether a user can read a note on a commit. However, commits can have a visibility level that is more restricted than the project, so this is a security issue. This commit changes the code to use the `:read_commit` ability in this case instead, which ensures TODOs are only generated for commit notes if the users can see the commit.
author: Nick Thomas <nick@gitlab.com> 2019-08-22 16:05:07 +0100
committer: Nick Thomas <nick@gitlab.com> 2019-08-23 12:47:35 +0100
commit: 1e6765dbbb23b8b35d4f9d2966f3078b9792bf3c (patch)
tree: 0cc4bfb4f5e79fc9af93a6eea85763a0ed95c6a8 /changelogs
parent: bef9aef425e5331af54c761d37338226f4d0f813 (diff)
download: gitlab-ce-1e6765dbbb23b8b35d4f9d2966f3078b9792bf3c.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml
new file mode 100644
index 00000000000..ce4b3cdeeaf
--- /dev/null
+++ b/changelogs/unreleased/security-64711-fix-commit-todos.yml
@@ -0,0 +1,5 @@
+---
+title: Send TODOs for comments on commits correctly
+merge_request:
+author:
+type: security
author	Nick Thomas <nick@gitlab.com>	2019-08-22 16:05:07 +0100
committer	Nick Thomas <nick@gitlab.com>	2019-08-23 12:47:35 +0100
commit	1e6765dbbb23b8b35d4f9d2966f3078b9792bf3c (patch)
tree	0cc4bfb4f5e79fc9af93a6eea85763a0ed95c6a8 /changelogs
parent	bef9aef425e5331af54c761d37338226f4d0f813 (diff)
download	gitlab-ce-1e6765dbbb23b8b35d4f9d2966f3078b9792bf3c.tar.gz