Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'

[master] Revoke award_emoji permissions for confidential issues Closes #2776 See merge request gitlab/gitlabhq!2790

Merge branch 'security-2776-fix-add-reaction-permissions' into 'master'
[master] Revoke award_emoji permissions for confidential issues Closes #2776 See merge request gitlab/gitlabhq!2790
46ba1801 · Yorick Peterse · a3e4307a · a2338de0 · 46ba1801 · 46ba1801
3 changed file
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
+    prevent :award_emoji
  end

  rule { is_author }.policy do

--- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_disallowed(:admin_note)
          expect(policy).to be_disallowed(:resolve_note)
          expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
        end
      end

@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_allowed(:admin_note)
          expect(policy).to be_allowed(:resolve_note)
          expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
        end
      end
    end