Add latest changes from gitlab-org/security/gitlab@13-4-stable-ee

2 files changed, 13 insertions, 0 deletions

diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index 56bcef0c562..1672ba2830a 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -19,6 +19,7 @@ class IssuableBaseService < BaseService
 
   def filter_params(issuable)
     unless can_admin_issuable?(issuable)
+      params.delete(:milestone)
       params.delete(:milestone_id)
       params.delete(:labels)
       params.delete(:add_label_ids)
diff --git a/app/services/issues/update_service.rb b/app/services/issues/update_service.rb
index ce21b2e0275..b9832400302 100644
--- a/app/services/issues/update_service.rb
+++ b/app/services/issues/update_service.rb
@@ -3,6 +3,7 @@
 module Issues
   class UpdateService < Issues::BaseService
     include SpamCheckMethods
+    extend ::Gitlab::Utils::Override
 
     def execute(issue)
       handle_move_between_ids(issue)
@@ -17,6 +18,17 @@ module Issues
       super
     end
 
+    override :filter_params
+    def filter_params(issue)
+      super
+
+      # filter confidential in `Issues::UpdateService` and not in `IssuableBaseService#filtr_params`
+      # because we do allow users that cannot admin issues to set confidential flag when creating an issue
+      unless can_admin_issuable?(issue)
+        params.delete(:confidential)
+      end
+    end
+
     def before_update(issue, skip_spam_check: false)
       spam_check(issue, current_user, action: :update) unless skip_spam_check
     end