diff options
author | Charlie Ablett <cablett@gitlab.com> | 2019-10-24 21:54:06 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-24 21:54:06 +0300 |
commit | b3d5a0a40f1735d1788f6f0129c31e47255d5361 (patch) | |
tree | 727b7127100d71d183563c3c475d50c809c5b5c0 /app | |
parent | 74bc3906d1327bf823e1646a0918d3edf9fa6b06 (diff) |
Improper access control allows the attacker to comment in internal commit after they are no longer admin
Diffstat (limited to 'app')
-rw-r--r-- | app/policies/commit_policy.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/app/policies/commit_policy.rb b/app/policies/commit_policy.rb index 4d4f0ba9267..4b358c45ec2 100644 --- a/app/policies/commit_policy.rb +++ b/app/policies/commit_policy.rb @@ -4,4 +4,5 @@ class CommitPolicy < BasePolicy delegate { @subject.project } rule { can?(:download_code) }.enable :read_commit + rule { ~can?(:read_commit) }.prevent :create_note end |