3 files changed, 23 insertions, 1 deletions

diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index f1efcb25331..128f9c5a836 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -21,6 +21,12 @@ class IssuablePolicy < BasePolicy
     enable :reopen_issue
   end
 
+  # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in
+  # TodoPolicy for performance reasons
+  rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
+    enable :read_confidential_notes
+  end
+
   rule { can?(:read_merge_request) & assignee_or_author }.policy do
     enable :update_merge_request
     enable :reopen_merge_request
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index e85f18f2d37..1bffcc5aea2 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -20,6 +20,7 @@ class NotePolicy < BasePolicy
 
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  # If this condition changes IssuablePolicy#read_confidential_notes should be updated too
   condition(:can_read_confidential) do
     access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
   end
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index 6237fbc50fa..5c24964f24a 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
   condition(:own_todo) do
     @user && @subject.user_id == @user.id
   end
+
+  desc "User can read the todo's target"
   condition(:can_read_target) do
     @user && @subject.target&.readable_by?(@user)
   end
 
+  desc "Todo has confidential note"
+  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+
+  desc "User can read the todo's confidential note"
+  condition(:can_read_todo_confidential_note) do
+    @user && @user.can?(:read_confidential_notes, @subject.target)
+  end
+
   rule { own_todo & can_read_target }.enable :read_todo
-  rule { own_todo & can_read_target }.enable :update_todo
+  rule { can?(:read_todo) }.enable :update_todo
+
+  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+    prevent :read_todo
+    prevent :update_todo
+  end
 end