gitlab-org--gitlab-foss/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml at e195e48638dcc56609436e6fcdd9ad3521501798 - kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss - Forgejo by Causa Arcana

kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss

Alex Kalderimis d30a90a354 Prevent unauthorised comments on merge requests

* Prevent creating notes on inaccessible MRs

This applies the notes rules at the MR scope. Rather than adding extra
rules to the Project level policy, preventing :create_note here is
better since it only prevents creating notes on MRs.

* Prevent creating notes in inaccessible Issues

without this policy, non-team-members are allowed to comment on issues
even when the project has the private-issues policy set. This means that
without this change, users are allowed to comment on issues that they
cannot read.

* Add CHANGELOG entry

2019-08-07 03:04:33 +01:00

3 lines

101 B

YAML

Raw Blame History

	`---`
	`title: Ensure only authorised users can create notes on Merge Requests and Issues`
	`type: security`