1 files changed, 18 insertions, 1 deletions

diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 87db228a698..491eebe9daf 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -9,7 +9,7 @@ class IssuePolicy < IssuablePolicy
 
   desc "User can read confidential issues"
   condition(:can_read_confidential) do
-    @user && IssueCollection.new([@subject]).visible_to(@user).any?
+    @user && (@user.admin? || can?(:reporter_access) || assignee_or_author?) # rubocop:disable Cop/UserAdmin
   end
 
   desc "Project belongs to a group, crm is enabled and user can read contacts in the root group"
@@ -27,6 +27,23 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is persisted"
   condition(:persisted, scope: :subject) { @subject.persisted? }
 
+  # accessing notes requires the notes widget to be available for work items(or issue)
+  condition(:notes_widget_enabled, scope: :subject) do
+    @subject.work_item_type.widgets.include?(::WorkItems::Widgets::Notes)
+  end
+
+  rule { ~notes_widget_enabled }.policy do
+    prevent :create_note
+    prevent :read_note
+    prevent :read_internal_note
+    prevent :set_note_created_at
+    prevent :mark_note_as_confidential
+    # these actions on notes are not available on issues/work items yet,
+    # but preventing any action on work item notes as long as there is no notes widget seems reasonable
+    prevent :resolve_note
+    prevent :reposition_note
+  end
+
   rule { confidential & ~can_read_confidential }.policy do
     prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid