• Markus Koller's avatar
    Correctly check permissions when creating snippet notes · 12d7b393
    Markus Koller authored
    In the Snippets::NotesController the noteable was resolved and
    authorized through the :snippet_id, so by passing a :target_id for a
    different snippet it was possible to create a note on a snippet
    where the user would be unauthorized to do so otherwise.
    
    This fixes the problem by ignoring the :target_id and :target_type from
    the request, and using the same noteable for creation and authorization.
    12d7b393
security-notes-in-private-snippets.yml 105 Bytes