Don't allow to edit award emoji comments

2015-12-10 14:36:31 +02:00 · 2015-12-10 14:36:31 +02:00 · e3ee46a13b
parent bdc62d704c
commit e3ee46a13b
3 changed files with 19 additions and 1 deletions
--- a/1
+++ b/1
@ -27,6 +27,7 @@ v 8.3.0 (unreleased)
  - Improve wording on project visibility levels (Zeger-Jan van de Weg)
  - Automatically select default clone protocol based on user preferences (Eirik Lygre)
  - Make Network page as sub tab of Commits
+  - Prevent possible XSS attack with award-emoji

 v 8.2.3
  - Fix application settings cache not expiring after changes (Stan Hu)
--- a/app/models/note.rb
+++ b/app/models/note.rb
@ -350,7 +350,7 @@ class Note < ActiveRecord::Base
  end

  def editable?
-    !system?
+    !system? && !is_award
  end

  # Checks if note is an award added as a comment
--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@ -142,4 +142,21 @@ describe Note, models: true do
      expect(Note.grouped_awards.first.last).to match_array(Note.all)
    end
  end
+
+  describe "editable?" do
+    it "returns true" do
+      note = build(:note)
+      expect(note.editable?).to be_truthy
+    end
+
+    it "returns false" do
+      note = build(:note, system: true)
+      expect(note.editable?).to be_falsy
+    end
+
+    it "returns false" do
+      note = build(:note, is_award: true, note: "smiley")
+      expect(note.editable?).to be_falsy
+    end
+  end
 end