Prevent unauthorised comments on merge requests

* Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry
author: Alex Kalderimis <alex.kalderimis@gmail.com> 2019-06-04 23:30:54 -0400
committer: Stan Hu <stanhu@gmail.com> 2019-08-26 11:05:34 -0700
commit: d9ecd83c733443b75d68915816c7ee3f45c4bcdd (patch)
tree: 145b391ef79f316e6863ca1de8bfae26a088d3da /changelogs
parent: 2d66115854f376da822e09eaa544f7de05971401 (diff)
download: gitlab-ce-d9ecd83c733443b75d68915816c7ee3f45c4bcdd.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
new file mode 100644
index 00000000000..ba970162447
--- /dev/null
+++ b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
@@ -0,0 +1,3 @@
+---
+title: Ensure only authorised users can create notes on Merge Requests and Issues
+type: security
author	Alex Kalderimis <alex.kalderimis@gmail.com>	2019-06-04 23:30:54 -0400
committer	Stan Hu <stanhu@gmail.com>	2019-08-26 11:05:34 -0700
commit	d9ecd83c733443b75d68915816c7ee3f45c4bcdd (patch)
tree	145b391ef79f316e6863ca1de8bfae26a088d3da /changelogs
parent	2d66115854f376da822e09eaa544f7de05971401 (diff)
download	gitlab-ce-d9ecd83c733443b75d68915816c7ee3f45c4bcdd.tar.gz