diff options
author | Nick Thomas <nick@gitlab.com> | 2019-08-22 16:05:07 +0100 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-08-23 12:47:27 +0100 |
commit | b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e (patch) | |
tree | 44848add41cc6627cdcacb469ffd80e23e8f7595 /changelogs | |
parent | 4a6d22ba439cb20937669c4aa2046acffb36a60e (diff) | |
download | gitlab-ce-b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e.tar.gz |
Send TODOs for comments on commits correctly
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/security-64711-fix-commit-todos.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml new file mode 100644 index 00000000000..ce4b3cdeeaf --- /dev/null +++ b/changelogs/unreleased/security-64711-fix-commit-todos.yml @@ -0,0 +1,5 @@ +--- +title: Send TODOs for comments on commits correctly +merge_request: +author: +type: security |