From 642f6b38169c5805676f061708d25137f4cc986e Mon Sep 17 00:00:00 2001
From: Nick Thomas <nick@gitlab.com>
Date: Thu, 22 Aug 2019 16:05:07 +0100
Subject: Send TODOs for comments on commits correctly

At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.

This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
---
 app/services/todo_service.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'app/services/todo_service.rb')

diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb
index 0ea230a44a1..b1256df35d6 100644
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -314,11 +314,9 @@ class TodoService
   end
 
   def reject_users_without_access(users, parent, target)
-    if target.is_a?(Note) && target.for_issuable?
-      target = target.noteable
-    end
+    target = target.noteable if target.is_a?(Note)
 
-    if target.is_a?(Issuable)
+    if target.respond_to?(:to_ability_name)
       select_users(users, :"read_#{target.to_ability_name}", target)
     else
       select_users(users, :read_project, parent)
-- 
cgit v1.2.3