Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e4f63d3c
Commit
e4f63d3c
authored
Mar 23, 2020
by
Jarka Košanová
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Check confidential notes notifications permissions
- also fix visibility of confidential notes for admins
parent
3af09062
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
85 additions
and
5 deletions
+85
-5
app/models/notification_recipient.rb
app/models/notification_recipient.rb
+5
-3
app/policies/note_policy.rb
app/policies/note_policy.rb
+1
-1
app/services/notification_recipients/builder/base.rb
app/services/notification_recipients/builder/base.rb
+6
-1
app/services/notification_recipients/builder/new_note.rb
app/services/notification_recipients/builder/new_note.rb
+4
-0
spec/policies/note_policy_spec.rb
spec/policies/note_policy_spec.rb
+5
-0
spec/services/notification_recipients/builder/new_note_spec.rb
...services/notification_recipients/builder/new_note_spec.rb
+64
-0
No files found.
app/models/notification_recipient.rb
View file @
e4f63d3c
...
@@ -74,10 +74,12 @@ class NotificationRecipient
...
@@ -74,10 +74,12 @@ class NotificationRecipient
end
end
def
unsubscribed?
def
unsubscribed?
return
false
unless
@target
subscribable_target
=
@target
.
is_a?
(
Note
)
?
@target
.
noteable
:
@target
return
false
unless
@target
.
respond_to?
(
:subscriptions
)
subscription
=
@target
.
subscriptions
.
find
{
|
subscription
|
subscription
.
user_id
==
@user
.
id
}
return
false
unless
subscribable_target
return
false
unless
subscribable_target
.
respond_to?
(
:subscriptions
)
subscription
=
subscribable_target
.
subscriptions
.
find
{
|
subscription
|
subscription
.
user_id
==
@user
.
id
}
subscription
&&
!
subscription
.
subscribed
subscription
&&
!
subscription
.
subscribed
end
end
...
...
app/policies/note_policy.rb
View file @
e4f63d3c
...
@@ -19,7 +19,7 @@ class NotePolicy < BasePolicy
...
@@ -19,7 +19,7 @@ class NotePolicy < BasePolicy
condition
(
:confidential
,
scope: :subject
)
{
@subject
.
confidential?
}
condition
(
:confidential
,
scope: :subject
)
{
@subject
.
confidential?
}
condition
(
:can_read_confidential
)
do
condition
(
:can_read_confidential
)
do
access_level
>=
Gitlab
::
Access
::
REPORTER
||
@subject
.
noteable_assignee_or_author?
(
@user
)
access_level
>=
Gitlab
::
Access
::
REPORTER
||
@subject
.
noteable_assignee_or_author?
(
@user
)
||
admin?
end
end
rule
{
~
editable
}.
prevent
:admin_note
rule
{
~
editable
}.
prevent
:admin_note
...
...
app/services/notification_recipients/builder/base.rb
View file @
e4f63d3c
...
@@ -23,6 +23,11 @@ module NotificationRecipients
...
@@ -23,6 +23,11 @@ module NotificationRecipients
raise
'abstract'
raise
'abstract'
end
end
# override if needed
def
recipients_target
target
end
def
project
def
project
target
.
project
target
.
project
end
end
...
@@ -59,7 +64,7 @@ module NotificationRecipients
...
@@ -59,7 +64,7 @@ module NotificationRecipients
project:
project
,
project:
project
,
group:
group
,
group:
group
,
custom_action:
custom_action
,
custom_action:
custom_action
,
target:
target
,
target:
recipients_
target
,
acting_user:
acting_user
acting_user:
acting_user
)
)
end
end
...
...
app/services/notification_recipients/builder/new_note.rb
View file @
e4f63d3c
...
@@ -12,6 +12,10 @@ module NotificationRecipients
...
@@ -12,6 +12,10 @@ module NotificationRecipients
note
.
noteable
note
.
noteable
end
end
def
recipients_target
note
end
# NOTE: may be nil, in the case of a PersonalSnippet
# NOTE: may be nil, in the case of a PersonalSnippet
#
#
# (this is okay because NotificationRecipient is written
# (this is okay because NotificationRecipient is written
...
...
spec/policies/note_policy_spec.rb
View file @
e4f63d3c
...
@@ -263,6 +263,7 @@ describe NotePolicy do
...
@@ -263,6 +263,7 @@ describe NotePolicy do
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:author
)
{
create
(
:user
)
}
let
(
:author
)
{
create
(
:user
)
}
let
(
:assignee
)
{
create
(
:user
)
}
let
(
:assignee
)
{
create
(
:user
)
}
let
(
:admin
)
{
create
(
:admin
)
}
before
do
before
do
project
.
add_reporter
(
reporter
)
project
.
add_reporter
(
reporter
)
...
@@ -294,6 +295,10 @@ describe NotePolicy do
...
@@ -294,6 +295,10 @@ describe NotePolicy do
expect
(
permissions
(
maintainer
,
confidential_note
)).
to
be_allowed
(
:read_note
,
:admin_note
,
:resolve_note
,
:award_emoji
)
expect
(
permissions
(
maintainer
,
confidential_note
)).
to
be_allowed
(
:read_note
,
:admin_note
,
:resolve_note
,
:award_emoji
)
end
end
it
'allows admins to read all notes and admin them'
do
expect
(
permissions
(
admin
,
confidential_note
)).
to
be_allowed
(
:read_note
,
:admin_note
,
:resolve_note
,
:award_emoji
)
end
it
'allows noteable author to read and resolve all notes'
do
it
'allows noteable author to read and resolve all notes'
do
expect
(
permissions
(
author
,
confidential_note
)).
to
be_allowed
(
:read_note
,
:resolve_note
,
:award_emoji
)
expect
(
permissions
(
author
,
confidential_note
)).
to
be_allowed
(
:read_note
,
:resolve_note
,
:award_emoji
)
expect
(
permissions
(
author
,
confidential_note
)).
to
be_disallowed
(
:admin_note
)
expect
(
permissions
(
author
,
confidential_note
)).
to
be_disallowed
(
:admin_note
)
...
...
spec/services/notification_recipients/builder/new_note_spec.rb
0 → 100644
View file @
e4f63d3c
# frozen_string_literal: true
require
'spec_helper'
describe
NotificationRecipients
::
Builder
::
NewNote
do
describe
'#notification_recipients'
do
let_it_be
(
:group
)
{
create
(
:group
,
:public
)
}
let_it_be
(
:project
)
{
create
(
:project
,
:public
,
group:
group
)
}
let_it_be
(
:issue
)
{
create
(
:issue
,
project:
project
)
}
let_it_be
(
:other_user
)
{
create
(
:user
)
}
let_it_be
(
:participant
)
{
create
(
:user
)
}
let_it_be
(
:non_member_participant
)
{
create
(
:user
)
}
let_it_be
(
:group_watcher
)
{
create
(
:user
)
}
let_it_be
(
:project_watcher
)
{
create
(
:user
)
}
let_it_be
(
:guest_project_watcher
)
{
create
(
:user
)
}
let_it_be
(
:subscriber
)
{
create
(
:user
)
}
let_it_be
(
:unsubscribed_user
)
{
create
(
:user
)
}
let_it_be
(
:non_member_subscriber
)
{
create
(
:user
)
}
let_it_be
(
:notification_setting_project_w
)
{
create
(
:notification_setting
,
source:
project
,
user:
project_watcher
,
level:
2
)
}
let_it_be
(
:notification_setting_guest_w
)
{
create
(
:notification_setting
,
source:
project
,
user:
guest_project_watcher
,
level:
2
)
}
let_it_be
(
:notification_setting_group_w
)
{
create
(
:notification_setting
,
source:
group
,
user:
group_watcher
,
level:
2
)
}
let_it_be
(
:subscriptions
)
do
[
create
(
:subscription
,
project:
project
,
user:
subscriber
,
subscribable:
issue
,
subscribed:
true
),
create
(
:subscription
,
project:
project
,
user:
unsubscribed_user
,
subscribable:
issue
,
subscribed:
false
),
create
(
:subscription
,
project:
project
,
user:
non_member_subscriber
,
subscribable:
issue
,
subscribed:
true
)
]
end
subject
{
described_class
.
new
(
note
)
}
before
do
project
.
add_developer
(
participant
)
project
.
add_developer
(
project_watcher
)
project
.
add_guest
(
guest_project_watcher
)
project
.
add_developer
(
subscriber
)
group
.
add_developer
(
group_watcher
)
expect
(
issue
).
to
receive
(
:participants
).
and_return
([
participant
,
non_member_participant
])
end
context
'for public notes'
do
let_it_be
(
:note
)
{
create
(
:note
,
noteable:
issue
,
project:
project
)
}
it
'adds all participants, watchers and subscribers'
do
expect
(
subject
.
notification_recipients
.
map
(
&
:user
)).
to
contain_exactly
(
participant
,
non_member_participant
,
project_watcher
,
group_watcher
,
guest_project_watcher
,
subscriber
,
non_member_subscriber
)
end
end
context
'for confidential notes'
do
let_it_be
(
:note
)
{
create
(
:note
,
:confidential
,
noteable:
issue
,
project:
project
)
}
it
'adds all participants, watchers and subscribers that are project memebrs'
do
expect
(
subject
.
notification_recipients
.
map
(
&
:user
)).
to
contain_exactly
(
participant
,
project_watcher
,
group_watcher
,
subscriber
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment