diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 16:52:58 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 16:52:58 +0300 |
commit | fccaf914e17f4dd84bba291ee57c79b9b7751434 (patch) | |
tree | e2bf8b6ea0b1c0808db243cd9d9e2733c4b06fa8 /app | |
parent | fb9cf61f57d6e5b49214a96759636ac13ec4c905 (diff) | |
parent | b06a092312b0674eef59e50b20f4f8bd2dd1a8f4 (diff) |
Merge branch 'security-12630-private-system-note-disclosed-in-graphql-12-2-ce' into '12-2-stable'
Add policy check if cross reference system notes are accessible
See merge request gitlab/gitlabhq!3427
Diffstat (limited to 'app')
-rw-r--r-- | app/models/discussion.rb | 1 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 9 |
2 files changed, 10 insertions, 0 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb index dd896f77084..0d066d0d99f 100644 --- a/app/models/discussion.rb +++ b/app/models/discussion.rb @@ -18,6 +18,7 @@ class Discussion :for_merge_request?, :to_ability_name, :editable?, + :visible_for?, to: :first_note diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 8d23e3abed3..b2af6c874c7 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -11,6 +11,8 @@ class NotePolicy < BasePolicy condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") } + condition(:is_visible) { @subject.visible_for?(@user) } + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes @@ -27,6 +29,13 @@ class NotePolicy < BasePolicy enable :resolve_note end + rule { ~is_visible }.policy do + prevent :read_note + prevent :admin_note + prevent :resolve_note + prevent :award_emoji + end + rule { is_noteable_author }.policy do enable :resolve_note end |