diff options
| author | Cindy Pallares <cindy@gitlab.com> | 2018-11-28 22:04:15 +0300 |
|---|---|---|
| committer | Cindy Pallares <cindy@gitlab.com> | 2018-11-29 03:11:56 +0300 |
| commit | e122e14ac6a25c7813ca888a97bd4a3298e78d9d (patch) | |
| tree | bd3774fae0517a63dd1e30b3fc95c00c54878357 /app/policies/note_policy.rb | |
| parent | ffd1c4cd453043448198d4a1c9582f5c54f5c377 (diff) | |
Merge branch 'security-guest-comments' into 'master'
[master]Fixed ability to comment on and edit/delete comments on locked or confidential issues
See merge request gitlab/gitlabhq!2612
Diffstat (limited to 'app/policies/note_policy.rb')
| -rw-r--r-- | app/policies/note_policy.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index bbc2b48b856..f22843b6463 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -9,8 +9,17 @@ class NotePolicy < BasePolicy condition(:editable, scope: :subject) { @subject.editable? } + condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + rule { ~editable }.prevent :admin_note + # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes + rule { ~can_read_noteable }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + end + rule { is_author }.policy do enable :read_note enable :admin_note |