Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-09-26 16:52:58 +0300
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-09-26 16:52:58 +0300
commitfccaf914e17f4dd84bba291ee57c79b9b7751434 (patch)
treee2bf8b6ea0b1c0808db243cd9d9e2733c4b06fa8 /app
parentfb9cf61f57d6e5b49214a96759636ac13ec4c905 (diff)
parentb06a092312b0674eef59e50b20f4f8bd2dd1a8f4 (diff)
Merge branch 'security-12630-private-system-note-disclosed-in-graphql-12-2-ce' into '12-2-stable'
Add policy check if cross reference system notes are accessible See merge request gitlab/gitlabhq!3427
Diffstat (limited to 'app')
-rw-r--r--app/models/discussion.rb1
-rw-r--r--app/policies/note_policy.rb9
2 files changed, 10 insertions, 0 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index dd896f77084..0d066d0d99f 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -18,6 +18,7 @@ class Discussion
:for_merge_request?,
:to_ability_name,
:editable?,
+ :visible_for?,
to: :first_note
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 8d23e3abed3..b2af6c874c7 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -11,6 +11,8 @@ class NotePolicy < BasePolicy
condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") }
+ condition(:is_visible) { @subject.visible_for?(@user) }
+
rule { ~editable }.prevent :admin_note
# If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -27,6 +29,13 @@ class NotePolicy < BasePolicy
enable :resolve_note
end
+ rule { ~is_visible }.policy do
+ prevent :read_note
+ prevent :admin_note
+ prevent :resolve_note
+ prevent :award_emoji
+ end
+
rule { is_noteable_author }.policy do
enable :resolve_note
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 08:59:03 +0300