diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 20:02:28 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 20:02:28 +0300 |
| commit | 17bf8a8f9d70ff2d4c5adb2a79f7afab049ab172 (patch) | |
| tree | 81942ceac8a20cf83cde35a0d94356f3e134bda3 /app/models/note.rb | |
| parent | f18305402702ebf1c06f5ddf6ab9a62e8b131d0e (diff) | |
| parent | 527723c37b0297e89c800f9a0e8ea8f75e171152 (diff) | |
Merge branch 'security-filter-related-branches-from-activity-feed' into 'master'
Related Branches Visible to Guests in Issue Activity
See merge request gitlab/gitlabhq!3537
Diffstat (limited to 'app/models/note.rb')
| -rw-r--r-- | app/models/note.rb | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index 1996fd4bff5..4e3700f3eaa 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -37,6 +37,10 @@ class Note < ApplicationRecord redact_field :note + TYPES_RESTRICTED_BY_ABILITY = { + branch: :download_code + }.freeze + # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes. # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102 alias_attribute :last_edited_at, :updated_at @@ -341,7 +345,7 @@ class Note < ApplicationRecord end def visible_for?(user) - !cross_reference_not_visible_for?(user) + !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user) end def award_emoji? @@ -497,6 +501,15 @@ class Note < ApplicationRecord private + def system_note_viewable_by?(user) + return true unless system_note_metadata + + restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym] + return Ability.allowed?(user, restriction, project) if restriction + + true + end + def keep_around_commit project.repository.keep_around(self.commit_id) end |