From 2d29ca85e86e6865f08540d351902641a0d0b4d5 Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Tue, 14 Jun 2016 14:37:41 -0300
Subject: Fix notes on confidential issues through JSON to users without access

---
 app/finders/notes_finder.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/finders/notes_finder.rb')

diff --git a/app/finders/notes_finder.rb b/app/finders/notes_finder.rb
index ee14ac60fb4..0b7832e6583 100644
--- a/app/finders/notes_finder.rb
+++ b/app/finders/notes_finder.rb
@@ -12,7 +12,7 @@ class NotesFinder
       when "commit"
         project.notes.for_commit_id(target_id).non_diff_notes
       when "issue"
-        project.issues.find(target_id).notes.inc_author
+        project.issues.visible_to_user(current_user).find(target_id).notes.inc_author
       when "merge_request"
         project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
       when "snippet", "project_snippet"
-- 
cgit v1.2.3