Commit graph

8 commits

Author SHA1 Message Date
Markus Koller
12d7b3937f
Correctly check permissions when creating snippet notes
In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.

This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.
2019-06-06 09:32:18 +02:00
Heinrich Lee Yu
d03dee26b9 Refactor params for notes_actions
Removes unneeded params from permitted list

This also fixes commenting on commits with a hash starting with a large
number
2019-02-23 09:38:58 +08:00
gfyoung
12ee2753c1 Enable even more frozen string in app/controllers
Enables frozen string for some vestigial files as
well as the following:

* app/controllers/projects/**/*.rb
* app/controllers/sherlock/**/*.rb
* app/controllers/snippets/**/*.rb
* app/controllers/users/**/*.rb

Partially addresses #47424.
2018-09-25 22:43:49 -07:00
Yorick Peterse
2039c8280d
Disable existing offenses for the CodeReuse cops
This whitelists all existing offenses for the various CodeReuse cops, of
which most are triggered by the CodeReuse/ActiveRecord cop.
2018-09-11 17:32:00 +02:00
Bob Van Landuyt
f1d3ea63cf Show the status of a user in interactions
The status is shown for
- The author of a commit when viewing a commit
- Notes on a commit (regular/diff)
- The user that triggered a pipeline when viewing a pipeline
- The author of a merge request when viewing a merge request
- The author of notes on a merge request (regular/diff)
- The author of an issue when viewing an issue
- The author of notes on an issue
- The author of a snippet when viewing a snippet
- The author of notes on a snippet
- A user's profile page
- The list of members of a group/user
2018-07-30 15:01:26 +02:00
Douwe Maan
f691010d5c Make sure NotesActions#noteable returns a Noteable in the update action 2017-11-16 15:12:23 +01:00
Jarka Kadlecova
e4f7b87ddb Support comments for personal snippets 2017-05-05 15:45:49 +02:00
Jarka Kadlecova
8c3a03c1b9 Display comments for personal snippets 2017-05-02 13:07:53 +02:00