From 12d7b3937fa97048d5bd6c09769e837052ebb3db Mon Sep 17 00:00:00 2001 From: Markus Koller Date: Fri, 31 May 2019 18:18:09 +0200 Subject: Correctly check permissions when creating snippet notes In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization. --- spec/controllers/projects/notes_controller_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'spec/controllers/projects/notes_controller_spec.rb') diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb index 6ec84f5c528..1db1963476c 100644 --- a/spec/controllers/projects/notes_controller_spec.rb +++ b/spec/controllers/projects/notes_controller_spec.rb @@ -252,7 +252,7 @@ describe Projects::NotesController do before do service_params = ActionController::Parameters.new({ note: 'some note', - noteable_id: merge_request.id.to_s, + noteable_id: merge_request.id, noteable_type: 'MergeRequest', commit_id: nil, merge_request_diff_head_sha: 'sha' -- cgit v1.2.1