642f6b3816
At present, the TodoService uses the `:read_project` ability to decide whether a user can read a note on a commit. However, commits can have a visibility level that is more restricted than the project, so this is a security issue. This commit changes the code to use the `:read_commit` ability in this case instead, which ensures TODOs are only generated for commit notes if the users can see the commit.
5 lines
94 B
YAML
5 lines
94 B
YAML
---
|
|
title: Send TODOs for comments on commits correctly
|
|
merge_request:
|
|
author:
|
|
type: security
|