Commit 33b59e7f authored by Robert Speicher's avatar Robert Speicher Committed by Tomasz Maczukin

Merge branch '18535-confidential-issue-notes' into 'master'

Only show notes through JSON on confidential issues that the user has access to

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18535

See merge request !1970
parent d2480cfe
...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date. ...@@ -3,6 +3,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.6.9 v 8.6.9
- Prevent unauthorized access to other projects build traces - Prevent unauthorized access to other projects build traces
- Forbid scripting for wiki files - Forbid scripting for wiki files
- Only show notes through JSON on confidential issues that the user has access to
v 8.6.8 v 8.6.8
- Prevent privilege escalation via "impersonate" feature - Prevent privilege escalation via "impersonate" feature
......
...@@ -12,7 +12,7 @@ class NotesFinder ...@@ -12,7 +12,7 @@ class NotesFinder
when "commit" when "commit"
project.notes.for_commit_id(target_id).not_inline project.notes.for_commit_id(target_id).not_inline
when "issue" when "issue"
project.issues.find(target_id).notes.nonawards.inc_author project.issues.visible_to_user(current_user).find(target_id).notes.inc_author
when "merge_request" when "merge_request"
project.merge_requests.find(target_id).mr_and_commit_notes.nonawards.inc_author project.merge_requests.find(target_id).mr_and_commit_notes.nonawards.inc_author
when "snippet", "project_snippet" when "snippet", "project_snippet"
......
...@@ -34,5 +34,21 @@ describe NotesFinder do ...@@ -34,5 +34,21 @@ describe NotesFinder do
notes = NotesFinder.new.execute(project, user, params) notes = NotesFinder.new.execute(project, user, params)
expect(notes).to eq([note1]) expect(notes).to eq([note1])
end end
context 'confidential issue notes' do
let(:confidential_issue) { create(:issue, :confidential, project: project, author: user) }
let!(:confidential_note) { create(:note, noteable: confidential_issue, project: confidential_issue.project) }
let(:params) { { target_id: confidential_issue.id, target_type: 'issue', last_fetched_at: 1.hour.ago.to_i } }
it 'returns notes if user can see the issue' do
expect(NotesFinder.new.execute(project, user, params)).to eq([confidential_note])
end
it 'raises an error if user can not see the issue' do
user = create(:user)
expect { NotesFinder.new.execute(project, user, params) }.to raise_error(ActiveRecord::RecordNotFound)
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment