diff options
author | Robert Speicher <robert@gitlab.com> | 2016-04-26 22:45:41 +0300 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2016-04-26 23:31:48 +0300 |
commit | 076632f170271ad08e7be1aaaf5a1cb63a0c639f (patch) | |
tree | 1d8344f38d81dc7a0effc97af2b48fb2fca6f9cf /app | |
parent | 23bc10ec7910a6d4e428f0c7fc0e5ef8fc96d24d (diff) |
Merge branch 'rs-notes-privilege-escalation' into 'master'
Prevent privilege escalation via notes API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577
See merge request !1964
Diffstat (limited to 'app')
-rw-r--r-- | app/services/notes/create_service.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/services/notes/create_service.rb b/app/services/notes/create_service.rb index a8486e6a5a1..5e2eb5dc21e 100644 --- a/app/services/notes/create_service.rb +++ b/app/services/notes/create_service.rb @@ -5,6 +5,8 @@ module Notes note.author = current_user note.system = false + return unless valid_project?(note) + if note.save notification_service.new_note(note) @@ -28,5 +30,14 @@ module Notes note.project.execute_hooks(note_data, :note_hooks) note.project.execute_services(note_data, :note_hooks) end + + private + + def valid_project?(note) + return false unless project + return true if note.for_commit? + + note.noteable.try(:project) == project + end end end |