From cc201d1e1be2c8f4de2e2265c2b83bd925f8a260 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 28 Sep 2022 21:59:41 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-4-stable-ee

---
 app/policies/issuable_policy.rb |  6 ++++++
 app/policies/note_policy.rb     |  1 +
 app/policies/todo_policy.rb     | 17 ++++++++++++++++-
 3 files changed, 23 insertions(+), 1 deletion(-)

(limited to 'app/policies')

diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index e5913bab726..e864ce8752a 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy
     enable :reopen_issue
   end
 
+  # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in
+  # TodoPolicy for performance reasons
+  rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
+    enable :read_confidential_notes
+  end
+
   rule { can?(:read_merge_request) & assignee_or_author }.policy do
     enable :update_merge_request
     enable :reopen_merge_request
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index e85f18f2d37..1bffcc5aea2 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -20,6 +20,7 @@ class NotePolicy < BasePolicy
 
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  # If this condition changes IssuablePolicy#read_confidential_notes should be updated too
   condition(:can_read_confidential) do
     access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
   end
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index 6237fbc50fa..5c24964f24a 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
   condition(:own_todo) do
     @user && @subject.user_id == @user.id
   end
+
+  desc "User can read the todo's target"
   condition(:can_read_target) do
     @user && @subject.target&.readable_by?(@user)
   end
 
+  desc "Todo has confidential note"
+  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+
+  desc "User can read the todo's confidential note"
+  condition(:can_read_todo_confidential_note) do
+    @user && @user.can?(:read_confidential_notes, @subject.target)
+  end
+
   rule { own_todo & can_read_target }.enable :read_todo
-  rule { own_todo & can_read_target }.enable :update_todo
+  rule { can?(:read_todo) }.enable :update_todo
+
+  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+    prevent :read_todo
+    prevent :update_todo
+  end
 end
-- 
cgit v1.2.3