Merge branch 'fix-guest-access-posting-to-notes' into 'security'
Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
This commit is contained in:
parent
3a5df1d8fc
commit
a1f959430b
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: Prevent users from creating notes on resources they can't access
|
||||||
|
merge_request:
|
||||||
|
author:
|
|
@ -70,21 +70,27 @@ module API
|
||||||
end
|
end
|
||||||
post ":id/#{noteables_str}/:noteable_id/notes" do
|
post ":id/#{noteables_str}/:noteable_id/notes" do
|
||||||
opts = {
|
opts = {
|
||||||
note: params[:body],
|
note: params[:body],
|
||||||
noteable_type: noteables_str.classify,
|
noteable_type: noteables_str.classify,
|
||||||
noteable_id: params[:noteable_id]
|
noteable_id: params[:noteable_id]
|
||||||
}
|
}
|
||||||
|
|
||||||
if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
|
noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
|
||||||
opts[:created_at] = params[:created_at]
|
|
||||||
end
|
|
||||||
|
|
||||||
note = ::Notes::CreateService.new(user_project, current_user, opts).execute
|
if can?(current_user, noteable_read_ability_name(noteable), noteable)
|
||||||
|
if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
|
||||||
|
opts[:created_at] = params[:created_at]
|
||||||
|
end
|
||||||
|
|
||||||
if note.valid?
|
note = ::Notes::CreateService.new(user_project, current_user, opts).execute
|
||||||
present note, with: Entities::const_get(note.class.name)
|
|
||||||
|
if note.valid?
|
||||||
|
present note, with: Entities::const_get(note.class.name)
|
||||||
|
else
|
||||||
|
not_found!("Note #{note.errors.messages}")
|
||||||
|
end
|
||||||
else
|
else
|
||||||
not_found!("Note #{note.errors.messages}")
|
not_found!("Note")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -264,6 +264,18 @@ describe API::Notes, api: true do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when user does not have access to read the noteable' do
|
||||||
|
it 'responds with 404' do
|
||||||
|
project = create(:empty_project, :private) { |p| p.add_guest(user) }
|
||||||
|
issue = create(:issue, :confidential, project: project)
|
||||||
|
|
||||||
|
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
|
||||||
|
body: 'Foo'
|
||||||
|
|
||||||
|
expect(response).to have_http_status(404)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'when user does not have access to create noteable' do
|
context 'when user does not have access to create noteable' do
|
||||||
let(:private_issue) { create(:issue, project: create(:empty_project, :private)) }
|
let(:private_issue) { create(:issue, project: create(:empty_project, :private)) }
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue