diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index f22843b6463761f4ea40e99b2e6b563ff5624cd8..8d23e3abed38643a322bda9b1ce4ef8bd871e0e4 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
+    prevent :award_emoji
   end
 
   rule { is_author }.policy do
diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3ad92578c441a1320a1f64f25c3360791610883f
--- /dev/null
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index 7e25c53e77c30ca35d141afbd54460639124c2cc..0e848c74659f75f8c8e5efc2eefa86ca0a25de21 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
           expect(policy).to be_disallowed(:admin_note)
           expect(policy).to be_disallowed(:resolve_note)
           expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
         end
       end
 
@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
           expect(policy).to be_allowed(:admin_note)
           expect(policy).to be_allowed(:resolve_note)
           expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
         end
       end
     end