diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-17 03:09:12 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-17 03:09:12 +0300 |
commit | d43aaf286fe6b8e8383e73ea580274d8841608d7 (patch) | |
tree | ca03542a55583538a1ec13023dffed20457407b5 /app/policies | |
parent | 87af6f2e0590af0ed1bb3e5de1bb5d21855a94d2 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/note_policy.rb | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 54dc70b08cb..32be89439ba 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class NotePolicy < BasePolicy + include Gitlab::Utils::StrongMemoize + delegate { @subject.resource_parent } delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) } @@ -13,6 +15,12 @@ class NotePolicy < BasePolicy condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) } + condition(:confidential, scope: :subject) { @subject.confidential? } + + condition(:can_read_confidential) do + access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) + end + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes @@ -39,4 +47,37 @@ class NotePolicy < BasePolicy rule { is_noteable_author }.policy do enable :resolve_note end + + rule { confidential & ~can_read_confidential }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + prevent :award_emoji + end + + def parent_namespace + strong_memoize(:parent_namespace) do + next if @subject.is_a?(PersonalSnippet) + next @subject.noteable.group if @subject.noteable&.is_a?(Epic) + + @subject.project + end + end + + def access_level + return -1 if @user.nil? + return -1 unless parent_namespace + + lookup_access_level! + end + + def lookup_access_level! + return ::Gitlab::Access::REPORTER if alert_bot? + + if parent_namespace.is_a?(Project) + parent_namespace.team.max_member_access(@user.id) + else + parent_namespace.max_member_access_for_user(@user) + end + end end |