diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:35 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:35 +0300 |
commit | 1a51bc936a37a1a70f43d7edf234048c7b6027f9 (patch) | |
tree | ec09f37fb574452eaf59d3e45216cc249feced53 /app | |
parent | 170c11041f05345baf94c991c560a6b0e2ed4dee (diff) | |
parent | 130fda7d4b223f99b3fd7b69f8dfa4cbb849116b (diff) |
Merge branch 'security-filter-related-branches-from-activity-feed-12.4' into '12-4-stable'
Related Branches Visible to Guests in Issue Activity
See merge request gitlab/gitlabhq!3539
Diffstat (limited to 'app')
-rw-r--r-- | app/models/note.rb | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/app/models/note.rb b/app/models/note.rb index ce60413b8a0..493132e30cc 100644 --- a/app/models/note.rb +++ b/app/models/note.rb @@ -37,6 +37,10 @@ class Note < ApplicationRecord redact_field :note + TYPES_RESTRICTED_BY_ABILITY = { + branch: :download_code + }.freeze + # Aliases to make application_helper#edited_time_ago_with_tooltip helper work properly with notes. # See https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/10392/diffs#note_28719102 alias_attribute :last_edited_at, :updated_at @@ -341,7 +345,7 @@ class Note < ApplicationRecord end def visible_for?(user) - !cross_reference_not_visible_for?(user) + !cross_reference_not_visible_for?(user) && system_note_viewable_by?(user) end def award_emoji? @@ -493,6 +497,15 @@ class Note < ApplicationRecord private + def system_note_viewable_by?(user) + return true unless system_note_metadata + + restriction = TYPES_RESTRICTED_BY_ABILITY[system_note_metadata.action.to_sym] + return Ability.allowed?(user, restriction, project) if restriction + + true + end + def keep_around_commit project.repository.keep_around(self.commit_id) end |