From 35b8f103a87811e0a825773aad3e3d04ee85fa9e Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <hleeyu@gmail.com>
Date: Wed, 16 Jan 2019 02:53:24 +0800
Subject: Prevent comments by email when issue is locked

This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.

Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
---
 .../unreleased/security-2779-fix-email-comment-permissions-check.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml

(limited to 'changelogs')

diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
new file mode 100644
index 00000000000..2f76064d8a4
--- /dev/null
+++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent unauthorized replies when discussion is locked or confidential
+merge_request:
+author:
+type: security
-- 
cgit v1.2.3