Don't process MR refs for guests in the notes
This commit is contained in:
parent
a3cde02651
commit
68d1332229
|
@ -393,7 +393,7 @@ class ProjectPolicy < BasePolicy
|
|||
end.enable :read_issue_iid
|
||||
|
||||
rule do
|
||||
(can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
|
||||
(~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
|
||||
end.enable :read_merge_request_iid
|
||||
|
||||
rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Don't process MR refs for guests in the notes
|
||||
merge_request: 2771
|
||||
author:
|
||||
type: security
|
|
@ -12,7 +12,7 @@ describe ProjectPolicy do
|
|||
let(:base_guest_permissions) do
|
||||
%i[
|
||||
read_project read_board read_list read_wiki read_issue
|
||||
read_project_for_iids read_issue_iid read_merge_request_iid read_label
|
||||
read_project_for_iids read_issue_iid read_label
|
||||
read_milestone read_project_snippet read_project_member read_note
|
||||
create_project create_issue create_note upload_file create_merge_request_in
|
||||
award_emoji read_release
|
||||
|
@ -152,6 +152,16 @@ describe ProjectPolicy do
|
|||
end
|
||||
end
|
||||
|
||||
context 'for a guest in a private project' do
|
||||
let(:project) { create(:project, :private) }
|
||||
subject { described_class.new(guest, project) }
|
||||
|
||||
it 'disallows the guest from reading the merge request and merge request iid' do
|
||||
expect_disallowed(:read_merge_request)
|
||||
expect_disallowed(:read_merge_request_iid)
|
||||
end
|
||||
end
|
||||
|
||||
context 'builds feature' do
|
||||
subject { described_class.new(owner, project) }
|
||||
|
||||
|
|
Loading…
Reference in New Issue