diff options
author | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-06-05 06:30:54 +0300 |
---|---|---|
committer | Alex Kalderimis <alex.kalderimis@gmail.com> | 2019-08-07 05:22:26 +0300 |
commit | 39e400e29a8d8f32e0ac2cb74d504d53885d67bc (patch) | |
tree | 5d272e61c97b701ecc263fecf6428deb684179f9 /changelogs | |
parent | 34d086f3e14eecf3bfdcf766f7b3499bd3aad47b (diff) |
Prevent unauthorised comments on merge requests
* Prevent creating notes on inaccessible MRs
This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.
* Prevent creating notes in inaccessible Issues
without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.
* Add CHANGELOG entry
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml new file mode 100644 index 00000000000..ba970162447 --- /dev/null +++ b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml @@ -0,0 +1,3 @@ +--- +title: Ensure only authorised users can create notes on Merge Requests and Issues +type: security |