Add access checks for diff note and discussion resolution
This commit is contained in:
parent
bbab5d014f
commit
ed6c8238f3
|
@ -257,6 +257,7 @@ class Ability
|
|||
:create_merge_request,
|
||||
:create_wiki,
|
||||
:push_code,
|
||||
:resolve_note,
|
||||
:create_container_image,
|
||||
:update_container_image,
|
||||
:create_environment,
|
||||
|
@ -426,7 +427,8 @@ class Ability
|
|||
rules += [
|
||||
:read_note,
|
||||
:update_note,
|
||||
:admin_note
|
||||
:admin_note,
|
||||
:resolve_note
|
||||
]
|
||||
end
|
||||
|
||||
|
@ -434,6 +436,10 @@ class Ability
|
|||
rules += project_abilities(user, note.project)
|
||||
end
|
||||
|
||||
if note.for_merge_request? && note.noteable.author == user
|
||||
rules << :resolve_note
|
||||
end
|
||||
|
||||
rules
|
||||
end
|
||||
|
||||
|
|
|
@ -63,6 +63,14 @@ class Discussion
|
|||
notes.any?(&:to_be_resolved?)
|
||||
end
|
||||
|
||||
def can_resolve?(current_user)
|
||||
return false unless current_user
|
||||
return false unless resolvable?
|
||||
|
||||
current_user == self.noteable.author ||
|
||||
can?(current_user, :push_code, self.project)
|
||||
end
|
||||
|
||||
def resolve!(current_user)
|
||||
notes.each do |note|
|
||||
note.resolve!(current_user) if note.resolvable?
|
||||
|
|
Loading…
Reference in New Issue