summaryrefslogtreecommitdiff
path: root/app/policies/merge_request_policy.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies/merge_request_policy.rb')
-rw-r--r--app/policies/merge_request_policy.rb6
1 files changed, 6 insertions, 0 deletions
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index a3692857ff4..5ad7bdabdff 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy
rule { locked }.policy do
prevent :reopen_merge_request
end
+
+ # Only users who can read the merge request can comment.
+ # Although :read_merge_request is computed in the policy context,
+ # it would not be safe to prevent :create_note there, since
+ # note permissions are shared, and this would apply too broadly.
+ rule { ~can?(:read_merge_request) }.prevent :create_note
end