35b8f103a8
This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable.
37 lines
1.1 KiB
Ruby
37 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class PersonalSnippetPolicy < BasePolicy
|
|
condition(:public_snippet, scope: :subject) { @subject.public? }
|
|
condition(:is_author) { @user && @subject.author == @user }
|
|
condition(:internal_snippet, scope: :subject) { @subject.internal? }
|
|
|
|
rule { public_snippet }.policy do
|
|
enable :read_personal_snippet
|
|
enable :comment_personal_snippet
|
|
end
|
|
|
|
rule { is_author }.policy do
|
|
enable :read_personal_snippet
|
|
enable :update_personal_snippet
|
|
enable :destroy_personal_snippet
|
|
enable :admin_personal_snippet
|
|
enable :comment_personal_snippet
|
|
end
|
|
|
|
rule { ~anonymous }.enable :create_personal_snippet
|
|
rule { external_user }.prevent :create_personal_snippet
|
|
|
|
rule { internal_snippet & ~external_user }.policy do
|
|
enable :read_personal_snippet
|
|
enable :comment_personal_snippet
|
|
end
|
|
|
|
rule { anonymous }.prevent :comment_personal_snippet
|
|
|
|
rule { can?(:comment_personal_snippet) }.policy do
|
|
enable :create_note
|
|
enable :award_emoji
|
|
end
|
|
|
|
rule { full_private_access }.enable :read_personal_snippet
|
|
end
|