From d40b79021dc1f1ad95e608e17cac69a4390c9cf9 Mon Sep 17 00:00:00 2001
From: Charlie Ablett <cablett@gitlab.com>
Date: Tue, 29 Oct 2019 15:58:26 +0000
Subject: Improper access control allows the attacker to comment in internal
 commit after they are no longer admin

---
 app/policies/commit_policy.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'app/policies/commit_policy.rb')

diff --git a/app/policies/commit_policy.rb b/app/policies/commit_policy.rb
index 4d4f0ba9267..4b358c45ec2 100644
--- a/app/policies/commit_policy.rb
+++ b/app/policies/commit_policy.rb
@@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy
   delegate { @subject.project }
 
   rule { can?(:download_code) }.enable :read_commit
+  rule { ~can?(:read_commit) }.prevent :create_note
 end
-- 
cgit v1.2.1