Merge branch 'security-2853-prevent-comments-on-private-mrs' into 'master'

Ensure only authorised users can create notes on merge requests and issues See merge request gitlab/gitlabhq!3137
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:34:27 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:34:27 +0300
commit: 21b5239a0016796f1e2b60955f47c7daea318208 (patch)
tree: a687a9648a219949ace56711990231d2cb779ed3 /app/policies/merge_request_policy.rb
parent: 5a008d136840b5c7fd5688060efa73dd1b5491ab (diff)
parent: d30a90a354f3dc015093d80f9de9dc15b38ff2a0 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index a3692857ff4..5ad7bdabdff 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy
   rule { locked }.policy do
     prevent :reopen_merge_request
   end
+
+  # Only users who can read the merge request can comment.
+  # Although :read_merge_request is computed in the policy context,
+  # it would not be safe to prevent :create_note there, since
+  # note permissions are shared, and this would apply too broadly.
+  rule { ~can?(:read_merge_request) }.prevent :create_note
 end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:34:27 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:34:27 +0300
commit	21b5239a0016796f1e2b60955f47c7daea318208 (patch)
tree	a687a9648a219949ace56711990231d2cb779ed3 /app/policies/merge_request_policy.rb
parent	5a008d136840b5c7fd5688060efa73dd1b5491ab (diff)
parent	d30a90a354f3dc015093d80f9de9dc15b38ff2a0 (diff)