From 836ddfc35d1778675b3bd6d51f51972f36a96bbe Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 29 Sep 2022 21:08:27 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/policies/todo_policy.rb | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'app/policies/todo_policy.rb')

diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index 6237fbc50fa..5c24964f24a 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
   condition(:own_todo) do
     @user && @subject.user_id == @user.id
   end
+
+  desc "User can read the todo's target"
   condition(:can_read_target) do
     @user && @subject.target&.readable_by?(@user)
   end
 
+  desc "Todo has confidential note"
+  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+
+  desc "User can read the todo's confidential note"
+  condition(:can_read_todo_confidential_note) do
+    @user && @user.can?(:read_confidential_notes, @subject.target)
+  end
+
   rule { own_todo & can_read_target }.enable :read_todo
-  rule { own_todo & can_read_target }.enable :update_todo
+  rule { can?(:read_todo) }.enable :update_todo
+
+  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+    prevent :read_todo
+    prevent :update_todo
+  end
 end
-- 
cgit v1.2.3