Merge branch 'security-check-read-note-permissions-before-creating-todo-14-10'...

Merge branch 'security-check-read-note-permissions-before-creating-todo-14-10' into '14-10-stable-ee' Verify that mentioned user can read TODO's note See merge request gitlab-org/security/gitlab!2397

Merge branch 'security-check-read-note-permissions-before-creating-todo-14-10'...
Merge branch 'security-check-read-note-permissions-before-creating-todo-14-10' into '14-10-stable-ee' Verify that mentioned user can read TODO's note See merge request gitlab-org/security/gitlab!2397
a9371185 · GitLab Release Tools Bot · 965fd668 · fd166c1b · a9371185 · a9371185
Commit a9371185 authored Apr 29, 2022 by GitLab Release Tools Bot
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 2 deletions

app/services/todo_service.rb app/services/todo_service.rb +0 -2

spec/services/todo_service_spec.rb spec/services/todo_service_spec.rb +12 -0

No files found.
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -369,8 +369,6 @@ class TodoService
  end

  def reject_users_without_access(users, parent, target)
-    target = target.noteable if target.is_a?(Note)
-
    if target.respond_to?(:to_ability_name)
      select_users(users, :"read_#{target.to_ability_name}", target)
    else

--- a/spec/services/todo_service_spec.rb
+++ b/spec/services/todo_service_spec.rb
@@ -391,6 +391,7 @@ RSpec.describe TodoService do
      let!(:second_todo) { create(:todo, :assigned, user: john_doe, project: project, target: issue, author: author) }
      let(:confidential_issue) { create(:issue, :confidential, project: project, author: author, assignees: [assignee]) }
      let(:note) { create(:note, project: project, noteable: issue, author: john_doe, note: mentions) }
+      let(:confidential_note) { create(:note, :confidential, project: project, noteable: issue, author: john_doe, note: mentions) }
      let(:addressed_note) { create(:note, project: project, noteable: issue, author: john_doe, note: directly_addressed) }
      let(:note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: mentions) }
      let(:addressed_note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: directly_addressed) }
@@ -468,6 +469,17 @@ RSpec.describe TodoService do
        should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
      end

+      it 'does not create todo if user can not read confidential note' do
+        service.new_note(confidential_note, john_doe)
+
+        should_not_create_todo(user: non_member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_not_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: author, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: assignee, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: john_doe, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+      end
+
      context 'commits' do
        let(:base_commit_todo_attrs) { { target_id: nil, target_type: 'Commit', author: john_doe } }