Prevent unauthorised comments on merge requests

* Prevent creating notes on inaccessible MRs

This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.

* Prevent creating notes in inaccessible Issues

without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.

* Add CHANGELOG entry

1 files changed, 5 insertions, 4 deletions

diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index dd8c5d49cf4..fa252af55e4 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -5,6 +5,8 @@ class IssuePolicy < IssuablePolicy
   # Make sure to sync this class checks with issue.rb to avoid security problems.
   # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.
 
+  extend ProjectPolicy::ClassMethods
+
   desc "User can read confidential issues"
   condition(:can_read_confidential) do
     @user && IssueCollection.new([@subject]).visible_to(@user).any?
@@ -14,13 +16,12 @@ class IssuePolicy < IssuablePolicy
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
   rule { confidential & ~can_read_confidential }.policy do
-    prevent :read_issue
+    prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid
-    prevent :update_issue
-    prevent :admin_issue
-    prevent :create_note
   end
 
+  rule { ~can?(:read_issue) }.prevent :create_note
+
   rule { locked }.policy do
     prevent :reopen_issue
   end