diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-29 00:59:41 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-29 00:59:41 +0300 |
commit | cc201d1e1be2c8f4de2e2265c2b83bd925f8a260 (patch) | |
tree | 7347a079cde32c08900547d96a7c5ddbc2a50259 /app/policies | |
parent | 70d9f335be46efecb1328cd2b7da3f3e17516d7d (diff) |
Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/issuable_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/todo_policy.rb | 17 |
3 files changed, 23 insertions, 1 deletions
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index e5913bab726..e864ce8752a 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy enable :reopen_issue end + # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in + # TodoPolicy for performance reasons + rule { can?(:reporter_access) | assignee_or_author | admin }.policy do + enable :read_confidential_notes + end + rule { can?(:read_merge_request) & assignee_or_author }.policy do enable :update_merge_request enable :reopen_merge_request diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index e85f18f2d37..1bffcc5aea2 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -20,6 +20,7 @@ class NotePolicy < BasePolicy condition(:confidential, scope: :subject) { @subject.confidential? } + # If this condition changes IssuablePolicy#read_confidential_notes should be updated too condition(:can_read_confidential) do access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin? end diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb index 6237fbc50fa..5c24964f24a 100644 --- a/app/policies/todo_policy.rb +++ b/app/policies/todo_policy.rb @@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy condition(:own_todo) do @user && @subject.user_id == @user.id end + + desc "User can read the todo's target" condition(:can_read_target) do @user && @subject.target&.readable_by?(@user) end + desc "Todo has confidential note" + condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? } + + desc "User can read the todo's confidential note" + condition(:can_read_todo_confidential_note) do + @user && @user.can?(:read_confidential_notes, @subject.target) + end + rule { own_todo & can_read_target }.enable :read_todo - rule { own_todo & can_read_target }.enable :update_todo + rule { can?(:read_todo) }.enable :update_todo + + rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do + prevent :read_todo + prevent :update_todo + end end |