Prevent award_emoji to notes not visible to user

When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes
2019-01-15 16:21:28 +08:00 · 2019-01-15 16:21:28 +08:00 · 9f67b886b2
commit 9f67b886b2
parent 6c0758f69b
3 changed files with 8 additions and 0 deletions
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
+    prevent :award_emoji
  end

  rule { is_author }.policy do
--- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
@ -0,0 +1,5 @@
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_disallowed(:admin_note)
          expect(policy).to be_disallowed(:resolve_note)
          expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
        end
      end

@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_allowed(:admin_note)
          expect(policy).to be_allowed(:resolve_note)
          expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
        end
      end
    end