diff options
author | Markus Koller <mkoller@gitlab.com> | 2019-05-31 18:18:09 +0200 |
---|---|---|
committer | Markus Koller <mkoller@gitlab.com> | 2019-06-06 09:32:18 +0200 |
commit | 12d7b3937fa97048d5bd6c09769e837052ebb3db (patch) | |
tree | 87e7c57422d777e764f646cde551884ba70cca59 /spec/controllers/projects/notes_controller_spec.rb | |
parent | 11bb3b53bcd2b50cb3fe243ac3b778354849cdde (diff) | |
download | gitlab-ce-12d7b3937fa97048d5bd6c09769e837052ebb3db.tar.gz |
Correctly check permissions when creating snippet notes
In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.
This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.
Diffstat (limited to 'spec/controllers/projects/notes_controller_spec.rb')
-rw-r--r-- | spec/controllers/projects/notes_controller_spec.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb index 6ec84f5c528..1db1963476c 100644 --- a/spec/controllers/projects/notes_controller_spec.rb +++ b/spec/controllers/projects/notes_controller_spec.rb @@ -252,7 +252,7 @@ describe Projects::NotesController do before do service_params = ActionController::Parameters.new({ note: 'some note', - noteable_id: merge_request.id.to_s, + noteable_id: merge_request.id, noteable_type: 'MergeRequest', commit_id: nil, merge_request_diff_head_sha: 'sha' |