kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Prevent award_emoji to notes not visible to user

Browse source 
When the parent noteable is not visible to the user (e.g. confidential)
we prevent the user from adding emoji reactions to notes
This commit is contained in:
Heinrich Lee Yu 2019-01-15 16:21:28 +08:00 committed by Yorick Peterse
parent 6c0758f69b
commit 9f67b886b2
No known key found for this signature in database
GPG key ID: EDD30D2BEB691AC9
3 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/policies/note_policy.rb
View file

@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
prevent :read_note prevent :read_note
prevent :admin_note prevent :admin_note
prevent :resolve_note prevent :resolve_note
prevent :award_emoji
end end
rule { is_author }.policy do rule { is_author }.policy do

5
changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml Normal file
View file

@ -0,0 +1,5 @@
---
title: Prevent awarding emojis to notes whose parent is not visible to user
merge_request:
author:
type: security

2
spec/policies/note_policy_spec.rb
View file

@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_disallowed(:admin_note) expect(policy).to be_disallowed(:admin_note)
expect(policy).to be_disallowed(:resolve_note) expect(policy).to be_disallowed(:resolve_note)
expect(policy).to be_disallowed(:read_note) expect(policy).to be_disallowed(:read_note)
expect(policy).to be_disallowed(:award_emoji)
end end
end end
@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_allowed(:admin_note) expect(policy).to be_allowed(:admin_note)
expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:resolve_note)
expect(policy).to be_allowed(:read_note) expect(policy).to be_allowed(:read_note)
expect(policy).to be_allowed(:award_emoji)
end end
end end
end end