12d7b3937f
In the Snippets::NotesController the noteable was resolved and authorized through the :snippet_id, so by passing a :target_id for a different snippet it was possible to create a note on a snippet where the user would be unauthorized to do so otherwise. This fixes the problem by ignoring the :target_id and :target_type from the request, and using the same noteable for creation and authorization.
5 lines
105 B
YAML
5 lines
105 B
YAML
---
|
|
title: Correctly check permissions when creating snippet notes
|
|
merge_request:
|
|
author:
|
|
type: security
|