Send TODOs for comments on commits correctly

At present, the TodoService uses the `:read_project` ability to decide whether a user can read a note on a commit. However, commits can have a visibility level that is more restricted than the project, so this is a security issue. This commit changes the code to use the `:read_commit` ability in this case instead, which ensures TODOs are only generated for commit notes if the users can see the commit.
author: Nick Thomas <nick@gitlab.com> 2019-08-22 16:05:07 +0100
committer: Nick Thomas <nick@gitlab.com> 2019-08-23 12:47:27 +0100
commit: b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e (patch)
tree: 44848add41cc6627cdcacb469ffd80e23e8f7595 /changelogs
parent: 4a6d22ba439cb20937669c4aa2046acffb36a60e (diff)
download: gitlab-ce-b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml
new file mode 100644
index 00000000000..ce4b3cdeeaf
--- /dev/null
+++ b/changelogs/unreleased/security-64711-fix-commit-todos.yml
@@ -0,0 +1,5 @@
+---
+title: Send TODOs for comments on commits correctly
+merge_request:
+author:
+type: security
author	Nick Thomas <nick@gitlab.com>	2019-08-22 16:05:07 +0100
committer	Nick Thomas <nick@gitlab.com>	2019-08-23 12:47:27 +0100
commit	b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e (patch)
tree	44848add41cc6627cdcacb469ffd80e23e8f7595 /changelogs
parent	4a6d22ba439cb20937669c4aa2046acffb36a60e (diff)
download	gitlab-ce-b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e.tar.gz