Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/services/notes/create_service.rb
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2016-04-26 19:55:38 +0300
committerRobert Speicher <rspeicher@gmail.com>2016-04-26 21:40:51 +0300
commitbe67a4843cc37790402404650cb96a6f02552b54 (patch)
tree795a8c1e33276c42a0b7fcb37cddf31477030353 /app/services/notes/create_service.rb
parent2f5394f5d640944a4efac9d89fcbdbcf79803f01 (diff)
Prevent privilege escalation via notes API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
Diffstat (limited to 'app/services/notes/create_service.rb')
-rw-r--r--app/services/notes/create_service.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/app/services/notes/create_service.rb b/app/services/notes/create_service.rb
index 2bb312bb252..01586994813 100644
--- a/app/services/notes/create_service.rb
+++ b/app/services/notes/create_service.rb
@@ -5,6 +5,8 @@ module Notes
note.author = current_user
note.system = false
+ return unless valid_project?(note)
+
if note.save
# Finish the harder work in the background
NewNoteWorker.perform_in(2.seconds, note.id, params)
@@ -13,5 +15,14 @@ module Notes
note
end
+
+ private
+
+ def valid_project?(note)
+ return false unless project
+ return true if note.for_commit?
+
+ note.noteable.try(:project) == project
+ end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-11 09:58:27 +0300