diff options
author | Heinrich Lee Yu <hleeyu@gmail.com> | 2019-01-16 02:53:24 +0800 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-31 16:52:48 +0100 |
commit | 35b8f103a87811e0a825773aad3e3d04ee85fa9e (patch) | |
tree | 904b43a964b34922562589318d74316b14980629 /lib/gitlab/email | |
parent | 1549039602dd88fa4f33b0c3f82861ab9bdd7669 (diff) | |
download | gitlab-ce-35b8f103a87811e0a825773aad3e3d04ee85fa9e.tar.gz |
Prevent comments by email when issue is locked
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.
Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
Diffstat (limited to 'lib/gitlab/email')
-rw-r--r-- | lib/gitlab/email/handler/reply_processing.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/email/handler/reply_processing.rb b/lib/gitlab/email/handler/reply_processing.rb index ba9730d2685..d8f4be8ada1 100644 --- a/lib/gitlab/email/handler/reply_processing.rb +++ b/lib/gitlab/email/handler/reply_processing.rb @@ -56,7 +56,7 @@ module Gitlab raise ProjectNotFound unless author.can?(:read_project, project) end - raise UserNotAuthorizedError unless author.can?(permission, project || noteable) + raise UserNotAuthorizedError unless author.can?(permission, try(:noteable) || project) end def verify_record!(record:, invalid_exception:, record_name:) |