• Nick Thomas's avatar
    Send TODOs for comments on commits correctly · 77660c99
    Nick Thomas authored
    At present, the TodoService uses the `:read_project` ability to decide
    whether a user can read a note on a commit. However, commits can have a
    visibility level that is more restricted than the project, so this is a
    security issue.
    
    This commit changes the code to use the `:read_commit` ability in this
    case instead, which ensures TODOs are only generated for commit notes
    if the users can see the commit.
    77660c99
security-64711-fix-commit-todos.yml 94 Bytes