diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-14 12:08:01 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-14 12:08:01 +0300 |
| commit | af60c8a79f77c8230292a133fb9d09dab5cd5cd3 (patch) | |
| tree | 7db57df336144ae99b2e299e467b6c75f3356daf /app/policies | |
| parent | b747a99e48ac36c351ec6f4329b8e5f75d5ed253 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/issue_policy.rb | 17 | ||||
| -rw-r--r-- | app/policies/note_policy.rb | 8 |
2 files changed, 25 insertions, 0 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 2bc535adf41..491eebe9daf 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -27,6 +27,23 @@ class IssuePolicy < IssuablePolicy desc "Issue is persisted" condition(:persisted, scope: :subject) { @subject.persisted? } + # accessing notes requires the notes widget to be available for work items(or issue) + condition(:notes_widget_enabled, scope: :subject) do + @subject.work_item_type.widgets.include?(::WorkItems::Widgets::Notes) + end + + rule { ~notes_widget_enabled }.policy do + prevent :create_note + prevent :read_note + prevent :read_internal_note + prevent :set_note_created_at + prevent :mark_note_as_confidential + # these actions on notes are not available on issues/work items yet, + # but preventing any action on work item notes as long as there is no notes widget seems reasonable + prevent :resolve_note + prevent :reposition_note + end + rule { confidential & ~can_read_confidential }.policy do prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 67b57595beb..9fd95bbe42d 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -20,12 +20,20 @@ class NotePolicy < BasePolicy condition(:confidential, scope: :subject) { @subject.confidential? } + # if noteable is a work item it needs to check the notes widget availability + condition(:notes_widget_enabled, scope: :subject) do + !@subject.noteable.respond_to?(:work_item_type) || + @subject.noteable.work_item_type.widgets.include?(::WorkItems::Widgets::Notes) + end + # Should be matched with IssuablePolicy#read_internal_note # and EpicPolicy#read_internal_note condition(:can_read_confidential) do access_level >= Gitlab::Access::REPORTER || admin? end + rule { ~notes_widget_enabled }.prevent_all + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes |