summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/policies/project_policy.rb2
-rw-r--r--changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml5
-rw-r--r--spec/policies/project_policy_spec.rb12
3 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index d70417e710e..e801900e981 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -392,7 +392,7 @@ class ProjectPolicy < BasePolicy
end.enable :read_issue_iid
rule do
- (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
+ (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
end.enable :read_merge_request_iid
rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
new file mode 100644
index 00000000000..0281dde11e6
--- /dev/null
+++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
@@ -0,0 +1,5 @@
+---
+title: Don't process MR refs for guests in the notes
+merge_request: 2771
+author:
+type: security
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 9cb20854f6e..3f87d5eef4b 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -12,7 +12,7 @@ describe ProjectPolicy do
let(:base_guest_permissions) do
%i[
read_project read_board read_list read_wiki read_issue
- read_project_for_iids read_issue_iid read_merge_request_iid read_label
+ read_project_for_iids read_issue_iid read_label
read_milestone read_project_snippet read_project_member read_note
create_project create_issue create_note upload_file create_merge_request_in
award_emoji read_release
@@ -152,6 +152,16 @@ describe ProjectPolicy do
end
end
+ context 'for a guest in a private project' do
+ let(:project) { create(:project, :private) }
+ subject { described_class.new(guest, project) }
+
+ it 'disallows the guest from reading the merge request and merge request iid' do
+ expect_disallowed(:read_merge_request)
+ expect_disallowed(:read_merge_request_iid)
+ end
+ end
+
context 'builds feature' do
subject { described_class.new(owner, project) }