Commit 46ba1801 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'

[master] Revoke award_emoji permissions for confidential issues

Closes #2776

See merge request gitlab/gitlabhq!2790
parents a3e4307a a2338de0
...@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy ...@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
prevent :read_note prevent :read_note
prevent :admin_note prevent :admin_note
prevent :resolve_note prevent :resolve_note
prevent :award_emoji
end end
rule { is_author }.policy do rule { is_author }.policy do
......
---
title: Prevent awarding emojis to notes whose parent is not visible to user
merge_request:
author:
type: security
...@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do ...@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_disallowed(:admin_note) expect(policy).to be_disallowed(:admin_note)
expect(policy).to be_disallowed(:resolve_note) expect(policy).to be_disallowed(:resolve_note)
expect(policy).to be_disallowed(:read_note) expect(policy).to be_disallowed(:read_note)
expect(policy).to be_disallowed(:award_emoji)
end end
end end
...@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do ...@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_allowed(:admin_note) expect(policy).to be_allowed(:admin_note)
expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:resolve_note)
expect(policy).to be_allowed(:read_note) expect(policy).to be_allowed(:read_note)
expect(policy).to be_allowed(:award_emoji)
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment