Prevent award_emoji to notes not visible to user

When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes

Prevent award_emoji to notes not visible to user
When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes
9f67b886 · Heinrich Lee Yu · Yorick Peterse · 6c0758f6 · 9f67b886 · 9f67b886
3 changed file
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
+    prevent :award_emoji
  end

  rule { is_author }.policy do

--- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_disallowed(:admin_note)
          expect(policy).to be_disallowed(:resolve_note)
          expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
        end
      end

@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_allowed(:admin_note)
          expect(policy).to be_allowed(:resolve_note)
          expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
        end
      end
    end