diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:50:16 +0300 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:50:18 +0300 |
| commit | 7f0ce1ea578469615885d4a4707bd204d4c4493a (patch) | |
| tree | 83df654352a645f3ef07aa6ad3e00957870597fa | |
| parent | 34719d9c5e8f6064003c63d1ed22df38c9a4fccd (diff) | |
Merge branch 'security-do-not-process-mr-ref-for-guests-11-5' into 'security-11-5'
[11.5] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2783
(cherry picked from commit 5a508bb7a5e3d7a048c6b3f50f74727e1c71b56e)
d4af76d9 Don't process MR refs for guests in the notes
| -rw-r--r-- | app/policies/project_policy.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml | 5 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 12 |
3 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 242ca463215..924decfd844 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -388,7 +388,7 @@ class ProjectPolicy < BasePolicy end.enable :read_issue_iid rule do - (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) + (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request) end.enable :read_merge_request_iid private diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a53a737aaaa..c0cabd3299a 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -12,7 +12,7 @@ describe ProjectPolicy do let(:base_guest_permissions) do %i[ read_project read_board read_list read_wiki read_issue - read_project_for_iids read_issue_iid read_merge_request_iid read_label + read_project_for_iids read_issue_iid read_label read_milestone read_project_snippet read_project_member read_note create_project create_issue create_note upload_file create_merge_request_in award_emoji @@ -152,6 +152,16 @@ describe ProjectPolicy do end end + context 'for a guest in a private project' do + let(:project) { create(:project, :private) } + subject { described_class.new(guest, project) } + + it 'disallows the guest from reading the merge request and merge request iid' do + expect_disallowed(:read_merge_request) + expect_disallowed(:read_merge_request_iid) + end + end + context 'builds feature' do context 'when builds are disabled' do subject { described_class.new(owner, project) } |