Render 404 when polling commit notes without having permissions

2017-11-01 16:50:05 -02:00 · 2017-11-01 16:50:05 -02:00 · 3ae5f7900c
commit 3ae5f7900c
parent bfb5107ae7
3 changed files with 20 additions and 1 deletions
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@ -4,6 +4,7 @@ module NotesActions

  included do
    before_action :set_polling_interval_header, only: [:index]
+    before_action :noteable, only: :index
    before_action :authorize_admin_note!, only: [:update, :destroy]
    before_action :note_project, only: [:create]
  end
@ -188,7 +189,7 @@ module NotesActions
  end

  def noteable
-    @noteable ||= notes_finder.target
+    @noteable ||= notes_finder.target || render_404
  end

  def last_fetched_at
--- a/changelogs/unreleased/issue_39176.yml
+++ b/changelogs/unreleased/issue_39176.yml
@ -0,0 +1,5 @@
+---
+title: Render 404 when polling commit notes without having permissions
+merge_request:
+author:
+type: fixed
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@ -105,6 +105,19 @@ describe Projects::NotesController do
          expect(note_json[:discussion_html]).to be_nil
          expect(note_json[:diff_discussion_html]).to be_nil
        end
+
+        context 'when user cannot read commit' do
+          before do
+            allow(Ability).to receive(:allowed?).and_call_original
+            allow(Ability).to receive(:allowed?).with(user, :download_code, project).and_return(false)
+          end
+
+          it 'renders 404' do
+            get :index, params
+
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
      end
    end