35b8f103a8
Prevent comments by email when issue is locked
...
This changes the permission check so it uses the policy on Noteable
instead of Project. This prevents bypassing of rules defined in
Noteable for locked discussions and confidential issues.
Also rechecks permissions when reply_to_discussion_id is provided since the
discussion_id may be from a different noteable.
2019-01-31 16:52:48 +01:00
5e9e56924a
Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4'
...
[Port for security-10-4]: Makes SnippetFinder ensure feature visibility
2018-02-09 12:04:05 -06:00
27c95364b5
Replace '.team << [user, role]' with 'add_role(user)' in specs
2017-12-22 19:18:28 +11:00
72a7b30c9f
Change all `:empty_project` to `:project`
2017-08-02 17:47:31 -04:00
ddccd24c13
Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
...
Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-27 14:31:53 +02:00
37c401433b
convert all the policies to DeclarativePolicy
2017-06-27 12:44:37 -07:00
963b374dc7
update the specs to not require a set to be returned
2017-06-27 12:41:54 -07:00
a6ec5121f0
Correct RSpec/SingleLineHook cop offenses
2017-06-14 13:18:56 -05:00
ae6adf165c
Merge branch '25934-project-snippet-vis' into 'security-9-2'
...
Fix visibility when referencing snippets
See merge request !2101
2017-06-08 09:56:39 -07:00
ad309f5d11
Merge branch 'snippets-finder-visibility' into 'security'
...
Refactor snippets finder & dont return internal snippets for external users
See merge request !2094
2017-05-10 16:48:18 +02:00
46dff6910d
More backport
2017-02-06 17:19:37 -06:00
Heinrich Lee Yu