Commit ed6c8238 authored by Douwe Maan's avatar Douwe Maan

Add access checks for diff note and discussion resolution

parent bbab5d01
...@@ -257,6 +257,7 @@ class Ability ...@@ -257,6 +257,7 @@ class Ability
:create_merge_request, :create_merge_request,
:create_wiki, :create_wiki,
:push_code, :push_code,
:resolve_note,
:create_container_image, :create_container_image,
:update_container_image, :update_container_image,
:create_environment, :create_environment,
...@@ -426,7 +427,8 @@ class Ability ...@@ -426,7 +427,8 @@ class Ability
rules += [ rules += [
:read_note, :read_note,
:update_note, :update_note,
:admin_note :admin_note,
:resolve_note
] ]
end end
...@@ -434,6 +436,10 @@ class Ability ...@@ -434,6 +436,10 @@ class Ability
rules += project_abilities(user, note.project) rules += project_abilities(user, note.project)
end end
if note.for_merge_request? && note.noteable.author == user
rules << :resolve_note
end
rules rules
end end
......
...@@ -63,6 +63,14 @@ class Discussion ...@@ -63,6 +63,14 @@ class Discussion
notes.any?(&:to_be_resolved?) notes.any?(&:to_be_resolved?)
end end
def can_resolve?(current_user)
return false unless current_user
return false unless resolvable?
current_user == self.noteable.author ||
can?(current_user, :push_code, self.project)
end
def resolve!(current_user) def resolve!(current_user)
notes.each do |note| notes.each do |note|
note.resolve!(current_user) if note.resolvable? note.resolve!(current_user) if note.resolvable?
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment