Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-01-24 15:47:40 +0300
committerYorick Peterse <yorickpeterse@gmail.com>2019-01-24 15:47:43 +0300
commit2692cee68bb961019e555168a55f729a7e125095 (patch)
tree5d8b5e989bade9ff727c7386b951ba39d9808fff
parent9128a397824d6e402bc5098fc5427c8280604881 (diff)
Merge branch 'security-2776-fix-add-reaction-permissions-11-6' into 'security-11-6'
[11.6] Revoke award_emoji permissions for confidential issues See merge request gitlab/gitlabhq!2850 (cherry picked from commit f645472619fe1e1ec4fdaa02010408d548287efb) 47d86827 Prevent award_emoji to notes not visible to user
Diffstat
-rw-r--r--app/policies/note_policy.rb1
-rw-r--r--changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml5
-rw-r--r--spec/policies/note_policy_spec.rb2
3 files changed, 8 insertions, 0 deletions
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index f22843b6463..8d23e3abed3 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
prevent :read_note
prevent :admin_note
prevent :resolve_note
+ prevent :award_emoji
end
rule { is_author }.policy do
diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
new file mode 100644
index 00000000000..3ad92578c44
--- /dev/null
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index 7e25c53e77c..0e848c74659 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_disallowed(:admin_note)
expect(policy).to be_disallowed(:resolve_note)
expect(policy).to be_disallowed(:read_note)
+ expect(policy).to be_disallowed(:award_emoji)
end
end
@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_allowed(:admin_note)
expect(policy).to be_allowed(:resolve_note)
expect(policy).to be_allowed(:read_note)
+ expect(policy).to be_allowed(:award_emoji)
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 23:00:37 +0300