• Mario de la Ossa's avatar
    Fixed permissions in comments · 3c26c031
    Mario de la Ossa authored
    When creating comments, sending different noteable IDs for target_id and
    note[:noteable_id] would allow you to bypass comment creation security
    if the user had creation permissions for target_id. The comment would be
    created in note[:noteable_id].
    
    Also made it so that users cannot edit/delete their comments on a
    noteable that becomes unreadable to them (if it gets flagged
    confidential and they don't have read access for example)
    3c26c031
notes_actions.rb 7.17 KB