Add policy check if cross reference system notes are accessible

author: Alexandru Croitor <acroitor@gitlab.com> 2019-09-18 11:26:20 +0300
committer: Alexandru Croitor <acroitor@gitlab.com> 2019-09-23 12:20:08 +0300
commit: e82f50d0e5c2aecb8041ad73cba0a571cf5f38a7 (patch)
tree: 4ce60f045c40335df2eeae6029db4e3662f7bfc3 /app
parent: 7099ecf77cb45c7b456a47f24064657ca59549b7 (diff)
2 files changed, 10 insertions, 0 deletions
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index dd896f77084..0d066d0d99f 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -18,6 +18,7 @@ class Discussion
             :for_merge_request?,
             :to_ability_name,
             :editable?,
+            :visible_for?,
 
             to: :first_note
 
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 8d23e3abed3..b2af6c874c7 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -11,6 +11,8 @@ class NotePolicy < BasePolicy
 
   condition(:can_read_noteable) { can?(:"read_#{@subject.to_ability_name}") }
 
+  condition(:is_visible) { @subject.visible_for?(@user) }
+
   rule { ~editable }.prevent :admin_note
 
   # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
@@ -27,6 +29,13 @@ class NotePolicy < BasePolicy
     enable :resolve_note
   end
 
+  rule { ~is_visible }.policy do
+    prevent :read_note
+    prevent :admin_note
+    prevent :resolve_note
+    prevent :award_emoji
+  end
+
   rule { is_noteable_author }.policy do
     enable :resolve_note
   end
author	Alexandru Croitor <acroitor@gitlab.com>	2019-09-18 11:26:20 +0300
committer	Alexandru Croitor <acroitor@gitlab.com>	2019-09-23 12:20:08 +0300
commit	e82f50d0e5c2aecb8041ad73cba0a571cf5f38a7 (patch)
tree	4ce60f045c40335df2eeae6029db4e3662f7bfc3 /app
parent	7099ecf77cb45c7b456a47f24064657ca59549b7 (diff)