gitlab-org--gitlab-foss/changelogs/unreleased/security-notes-in-private-snippets.yml
Markus Koller 12d7b3937f
Correctly check permissions when creating snippet notes
In the Snippets::NotesController the noteable was resolved and
authorized through the :snippet_id, so by passing a :target_id for a
different snippet it was possible to create a note on a snippet
where the user would be unauthorized to do so otherwise.

This fixes the problem by ignoring the :target_id and :target_type from
the request, and using the same noteable for creation and authorization.
2019-06-06 09:32:18 +02:00

5 lines
105 B
YAML

---
title: Correctly check permissions when creating snippet notes
merge_request:
author:
type: security