diff options
-rw-r--r-- | app/controllers/concerns/notes_actions.rb | 3 | ||||
-rw-r--r-- | changelogs/unreleased/issue_39176.yml | 5 | ||||
-rw-r--r-- | spec/controllers/projects/notes_controller_spec.rb | 13 |
3 files changed, 20 insertions, 1 deletions
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index 1126f706393..fb9c942d302 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -4,6 +4,7 @@ module NotesActions included do before_action :set_polling_interval_header, only: [:index] + before_action :noteable, only: :index before_action :authorize_admin_note!, only: [:update, :destroy] before_action :note_project, only: [:create] end @@ -188,7 +189,7 @@ module NotesActions end def noteable - @noteable ||= notes_finder.target + @noteable ||= notes_finder.target || render_404 end def last_fetched_at diff --git a/changelogs/unreleased/issue_39176.yml b/changelogs/unreleased/issue_39176.yml new file mode 100644 index 00000000000..6255b51c094 --- /dev/null +++ b/changelogs/unreleased/issue_39176.yml @@ -0,0 +1,5 @@ +--- +title: Render 404 when polling commit notes without having permissions +merge_request: +author: +type: fixed diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb index 135fd6449ff..77bf997bec5 100644 --- a/spec/controllers/projects/notes_controller_spec.rb +++ b/spec/controllers/projects/notes_controller_spec.rb @@ -105,6 +105,19 @@ describe Projects::NotesController do expect(note_json[:discussion_html]).to be_nil expect(note_json[:diff_discussion_html]).to be_nil end + + context 'when user cannot read commit' do + before do + allow(Ability).to receive(:allowed?).and_call_original + allow(Ability).to receive(:allowed?).with(user, :download_code, project).and_return(false) + end + + it 'renders 404' do + get :index, params + + expect(response).to have_gitlab_http_status(404) + end + end end end |