diff options
| author | Heinrich Lee Yu <hleeyu@gmail.com> | 2019-01-15 21:53:24 +0300 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-31 18:52:48 +0300 |
| commit | 35b8f103a87811e0a825773aad3e3d04ee85fa9e (patch) | |
| tree | 904b43a964b34922562589318d74316b14980629 /changelogs | |
| parent | 1549039602dd88fa4f33b0c3f82861ab9bdd7669 (diff) | |
Prevent comments by email when issue is locked
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.
Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
Diffstat (limited to 'changelogs')
| -rw-r--r-- | changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml new file mode 100644 index 00000000000..2f76064d8a4 --- /dev/null +++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized replies when discussion is locked or confidential +merge_request: +author: +type: security |