diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 00:26:53 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 00:26:53 +0300 |
commit | b30f7e36de53f94df4022815d3fbdadc4368a7e3 (patch) | |
tree | 422cc3db247e7d5e9d6dcb9cc40618b863cd64ce /app/policies/todo_policy.rb | |
parent | c8edb9de30c95e9e715a1e31e7667f94fb7f3dec (diff) |
Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee
Diffstat (limited to 'app/policies/todo_policy.rb')
-rw-r--r-- | app/policies/todo_policy.rb | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb index d01a046c343..6237fbc50fa 100644 --- a/app/policies/todo_policy.rb +++ b/app/policies/todo_policy.rb @@ -5,7 +5,10 @@ class TodoPolicy < BasePolicy condition(:own_todo) do @user && @subject.user_id == @user.id end + condition(:can_read_target) do + @user && @subject.target&.readable_by?(@user) + end - rule { own_todo }.enable :read_todo - rule { own_todo }.enable :update_todo + rule { own_todo & can_read_target }.enable :read_todo + rule { own_todo & can_read_target }.enable :update_todo end |