From d43aaf286fe6b8e8383e73ea580274d8841608d7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 17 Mar 2020 00:09:12 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/policies/note_policy.rb | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'app/policies')

diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 54dc70b08cb..32be89439ba 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class NotePolicy < BasePolicy
+  include Gitlab::Utils::StrongMemoize
+
   delegate { @subject.resource_parent }
   delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
 
@@ -13,6 +15,12 @@ class NotePolicy < BasePolicy
 
   condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) }
 
+  condition(:confidential, scope: :subject) { @subject.confidential? }
+
+  condition(:can_read_confidential) do
+    access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user)
+  end
+
   rule { ~editable }.prevent :admin_note
 
   # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -39,4 +47,37 @@ class NotePolicy < BasePolicy
   rule { is_noteable_author }.policy do
     enable :resolve_note
   end
+
+  rule { confidential & ~can_read_confidential }.policy do
+    prevent :read_note
+    prevent :admin_note
+    prevent :resolve_note
+    prevent :award_emoji
+  end
+
+  def parent_namespace
+    strong_memoize(:parent_namespace) do
+      next if @subject.is_a?(PersonalSnippet)
+      next @subject.noteable.group if @subject.noteable&.is_a?(Epic)
+
+      @subject.project
+    end
+  end
+
+  def access_level
+    return -1 if @user.nil?
+    return -1 unless parent_namespace
+
+    lookup_access_level!
+  end
+
+  def lookup_access_level!
+    return ::Gitlab::Access::REPORTER if alert_bot?
+
+    if parent_namespace.is_a?(Project)
+      parent_namespace.team.max_member_access(@user.id)
+    else
+      parent_namespace.max_member_access_for_user(@user)
+    end
+  end
 end
-- 
cgit v1.2.1