Merge branch 'security-65756-ex-admin-attacker-can-comment-in-internalsecurity-65756-ex-admin-attacker-can-comment-in-internal-12-4' into '12-4-stable'

Improper access control allows the attacker to comment in internal commit after they are no longer admin See merge request gitlab/gitlabhq!3497
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-24 21:53:03 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-24 21:53:03 +0300
commit: ddfb716076bd94f02293505881f7a9333d3a5da4 (patch)
tree: 260cf1c6869e748b183c3172a34fa485f00c91bd /app
parent: 203f5b43734cbb320bcfdd1f3929f4fb1862c8dc (diff)
parent: 99c8d262a73eb5f8fef6ab7e1aeb961e16d25c28 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/app/policies/commit_policy.rb b/app/policies/commit_policy.rb
index 4d4f0ba9267..4b358c45ec2 100644
--- a/app/policies/commit_policy.rb
+++ b/app/policies/commit_policy.rb
@@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy
   delegate { @subject.project }
 
   rule { can?(:download_code) }.enable :read_commit
+  rule { ~can?(:read_commit) }.prevent :create_note
 end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-24 21:53:03 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-24 21:53:03 +0300
commit	ddfb716076bd94f02293505881f7a9333d3a5da4 (patch)
tree	260cf1c6869e748b183c3172a34fa485f00c91bd /app
parent	203f5b43734cbb320bcfdd1f3929f4fb1862c8dc (diff)
parent	99c8d262a73eb5f8fef6ab7e1aeb961e16d25c28 (diff)