gitlab-org--gitlab-foss

History

Markus Koller 12d7b3937f Correctly check permissions when creating snippet notes In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization.	2019-06-06 09:32:18 +02:00
..
notes_controller_spec.rb	Correctly check permissions when creating snippet notes	2019-06-06 09:32:18 +02:00

Correctly check permissions when creating snippet notes

In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.

This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.

2019-06-06 09:32:18 +02:00

notes_controller_spec.rb

Correctly check permissions when creating snippet notes

2019-06-06 09:32:18 +02:00