diff options
| author | Nick Thomas <nick@gitlab.com> | 2019-08-22 18:05:07 +0300 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-08-23 14:47:54 +0300 |
| commit | 642f6b38169c5805676f061708d25137f4cc986e (patch) | |
| tree | 0fa7b94a595164c0b8e8338850bc7d4f4c0aa811 /app/services/todo_service.rb | |
| parent | f7f3b3c3efd58f31ed422808722b0c81a0bf1064 (diff) | |
Send TODOs for comments on commits correctly
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
Diffstat (limited to 'app/services/todo_service.rb')
| -rw-r--r-- | app/services/todo_service.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb index 0ea230a44a1..b1256df35d6 100644 --- a/app/services/todo_service.rb +++ b/app/services/todo_service.rb @@ -314,11 +314,9 @@ class TodoService end def reject_users_without_access(users, parent, target) - if target.is_a?(Note) && target.for_issuable? - target = target.noteable - end + target = target.noteable if target.is_a?(Note) - if target.is_a?(Issuable) + if target.respond_to?(:to_ability_name) select_users(users, :"read_#{target.to_ability_name}", target) else select_users(users, :read_project, parent) |