Add access checks for diff note and discussion resolution

ed6c8238 · Douwe Maan · bbab5d01 · ed6c8238 · ed6c8238
隐藏空白更改
内联并排

Showing with 15 addition and 1 deletion

app/models/ability.rb app/models/ability.rb +7 -1

app/models/discussion.rb app/models/discussion.rb +8 -0

未找到文件。
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -257,6 +257,7 @@ class Ability
        :create_merge_request,
        :create_wiki,
        :push_code,
+        :resolve_note,
        :create_container_image,
        :update_container_image,
        :create_environment,
@@ -426,7 +427,8 @@ class Ability
        rules += [
          :read_note,
          :update_note,
-          :admin_note
+          :admin_note,
+          :resolve_note
        ]
      end

@@ -434,6 +436,10 @@ class Ability
        rules += project_abilities(user, note.project)
      end

+      if note.for_merge_request? && note.noteable.author == user
+        rules << :resolve_note
+      end
+
      rules
    end


--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -63,6 +63,14 @@ class Discussion
    notes.any?(&:to_be_resolved?)
  end

+  def can_resolve?(current_user)
+    return false unless current_user
+    return false unless resolvable?
+
+    current_user == self.noteable.author ||
+      can?(current_user, :push_code, self.project)
+  end
+
  def resolve!(current_user)
    notes.each do |note|
      note.resolve!(current_user) if note.resolvable?