diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:02:05 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:02:05 +0300 |
| commit | 83e8f432e03fee659c3ac0bd718f40dff0bf8e45 (patch) | |
| tree | ff65535f069ab7bb5005b9bddcd81f290f140bd2 /app | |
| parent | 7d028ae6a925c50033b14ada8495a244305e6df0 (diff) | |
| parent | 6324a099746475910dec56500e0f834a79f181da (diff) | |
Merge branch 'security-filter-related-branches-from-activity-feed-12.5' into '12-5-stable'
Related Branches Visible to Guests in Issue Activity
See merge request gitlab/gitlabhq!3538
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/note.rb | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index ce60413b8a0..493132e30cc 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -37,6 +37,10 @@ class Note < ApplicationRecord redact_field :note + TYPES_RESTRICTED_BY_ABILITY = { + branch: :download_code + }.freeze + # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes. # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102 alias_attribute :last_edited_at, :updated_at @@ -341,7 +345,7 @@ class Note < ApplicationRecord end def visible_for?(user) - !cross_reference_not_visible_for?(user) + !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user) end def award_emoji? @@ -493,6 +497,15 @@ class Note < ApplicationRecord private + def system_note_viewable_by?(user) + return true unless system_note_metadata + + restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym] + return Ability.allowed?(user, restriction, project) if restriction + + true + end + def keep_around_commit project.repository.keep_around(self.commit_id) end |