From 52feca595a3311fc12a6f35191a24ff61c33e440 Mon Sep 17 00:00:00 2001 From: Tiago Botelho Date: Fri, 7 Dec 2018 15:48:38 +0000 Subject: Adds validation to check if user can read project An issuable should not be available to a user if the project is not visible to that specific user --- app/policies/issuable_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/policies') diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 6d8b575102e..ecb2797d1d9 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -11,7 +11,7 @@ class IssuablePolicy < BasePolicy @user && @subject.assignee_or_author?(@user) end - rule { assignee_or_author }.policy do + rule { can?(:guest_access) & assignee_or_author }.policy do enable :read_issue enable :update_issue enable :reopen_issue -- cgit v1.2.1