diff options
author | Nick Thomas <nick@gitlab.com> | 2019-08-22 18:05:07 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2019-08-23 14:47:27 +0300 |
commit | b0ebfa3d46084dc2b876d62ab8c6a06e84c4da8e (patch) | |
tree | 44848add41cc6627cdcacb469ffd80e23e8f7595 /app | |
parent | 4a6d22ba439cb20937669c4aa2046acffb36a60e (diff) |
Send TODOs for comments on commits correctly
At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.
This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
Diffstat (limited to 'app')
-rw-r--r-- | app/services/todo_service.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb index 0ea230a44a1..b1256df35d6 100644 --- a/app/services/todo_service.rb +++ b/app/services/todo_service.rb @@ -314,11 +314,9 @@ class TodoService end def reject_users_without_access(users, parent, target) - if target.is_a?(Note) && target.for_issuable? - target = target.noteable - end + target = target.noteable if target.is_a?(Note) - if target.is_a?(Issuable) + if target.respond_to?(:to_ability_name) select_users(users, :"read_#{target.to_ability_name}", target) else select_users(users, :read_project, parent) |