diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:27 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:27 +0300 |
commit | 21b5239a0016796f1e2b60955f47c7daea318208 (patch) | |
tree | a687a9648a219949ace56711990231d2cb779ed3 /app/policies/merge_request_policy.rb | |
parent | 5a008d136840b5c7fd5688060efa73dd1b5491ab (diff) | |
parent | d30a90a354f3dc015093d80f9de9dc15b38ff2a0 (diff) |
Merge branch 'security-2853-prevent-comments-on-private-mrs' into 'master'
Ensure only authorised users can create notes on merge requests and issues
See merge request gitlab/gitlabhq!3137
Diffstat (limited to 'app/policies/merge_request_policy.rb')
-rw-r--r-- | app/policies/merge_request_policy.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index a3692857ff4..5ad7bdabdff 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -4,4 +4,10 @@ class MergeRequestPolicy < IssuablePolicy rule { locked }.policy do prevent :reopen_merge_request end + + # Only users who can read the merge request can comment. + # Although :read_merge_request is computed in the policy context, + # it would not be safe to prevent :create_note there, since + # note permissions are shared, and this would apply too broadly. + rule { ~can?(:read_merge_request) }.prevent :create_note end |