Correctly check permissions when creating snippet notes

In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization.
author: Markus Koller <mkoller@gitlab.com> 2019-05-31 18:18:09 +0200
committer: Markus Koller <mkoller@gitlab.com> 2019-06-06 09:32:18 +0200
commit: 12d7b3937fa97048d5bd6c09769e837052ebb3db (patch)
tree: 87e7c57422d777e764f646cde551884ba70cca59 /spec/controllers/projects/notes_controller_spec.rb
parent: 11bb3b53bcd2b50cb3fe243ac3b778354849cdde (diff)
download: gitlab-ce-12d7b3937fa97048d5bd6c09769e837052ebb3db.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb
index 6ec84f5c528..1db1963476c 100644
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -252,7 +252,7 @@ describe Projects::NotesController do
       before do
         service_params = ActionController::Parameters.new({
           note: 'some note',
-          noteable_id: merge_request.id.to_s,
+          noteable_id: merge_request.id,
           noteable_type: 'MergeRequest',
           commit_id: nil,
           merge_request_diff_head_sha: 'sha'
author	Markus Koller <mkoller@gitlab.com>	2019-05-31 18:18:09 +0200
committer	Markus Koller <mkoller@gitlab.com>	2019-06-06 09:32:18 +0200
commit	12d7b3937fa97048d5bd6c09769e837052ebb3db (patch)
tree	87e7c57422d777e764f646cde551884ba70cca59 /spec/controllers/projects/notes_controller_spec.rb
parent	11bb3b53bcd2b50cb3fe243ac3b778354849cdde (diff)
download	gitlab-ce-12d7b3937fa97048d5bd6c09769e837052ebb3db.tar.gz