Restrict slash commands to users who can log in

2 files changed, 5 insertions, 0 deletions

diff --git a/app/models/project_services/slash_commands_service.rb b/app/models/project_services/slash_commands_service.rb
index bfabc6d262c..46925f6704d 100644
--- a/app/models/project_services/slash_commands_service.rb
+++ b/app/models/project_services/slash_commands_service.rb
@@ -35,6 +35,8 @@ class SlashCommandsService < Service
     chat_user = find_chat_user(params)
 
     if chat_user&.user
+      return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
+
       Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
     else
       url = authorize_chat_name_url(params)
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 134de1c9ace..311aab0dcd4 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -33,6 +33,7 @@ class GlobalPolicy < BasePolicy
     enable :access_git
     enable :receive_notifications
     enable :use_quick_actions
+    enable :use_slash_commands
   end
 
   rule { blocked | internal }.policy do
@@ -40,6 +41,7 @@ class GlobalPolicy < BasePolicy
     prevent :access_api
     prevent :access_git
     prevent :receive_notifications
+    prevent :use_slash_commands
   end
 
   rule { required_terms_not_accepted }.policy do
@@ -57,6 +59,7 @@ class GlobalPolicy < BasePolicy
 
   rule { access_locked }.policy do
     prevent :log_in
+    prevent :use_slash_commands
   end
 
   rule { ~(anonymous & restricted_public_level) }.policy do