BigW Consortium Gitlab

Commit 217411f3 by Robert Speicher Committed by Robert Speicher

Merge branch 'fix-guest-access-posting-to-notes' into 'security'

Prevent users from creating notes on resources they can't access See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2054
parent 81588278
---
title: Prevent users from creating notes on resources they can't access
merge_request:
author:
...@@ -75,6 +75,9 @@ module API ...@@ -75,6 +75,9 @@ module API
noteable_id: params[:noteable_id] noteable_id: params[:noteable_id]
} }
noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
if can?(current_user, noteable_read_ability_name(noteable), noteable)
if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user) if params[:created_at] && (current_user.is_admin? || user_project.owner == current_user)
opts[:created_at] = params[:created_at] opts[:created_at] = params[:created_at]
end end
...@@ -86,6 +89,9 @@ module API ...@@ -86,6 +89,9 @@ module API
else else
not_found!("Note #{note.errors.messages}") not_found!("Note #{note.errors.messages}")
end end
else
not_found!("Note")
end
end end
desc 'Update an existing +noteable+ note' do desc 'Update an existing +noteable+ note' do
......
...@@ -264,6 +264,18 @@ describe API::Notes, api: true do ...@@ -264,6 +264,18 @@ describe API::Notes, api: true do
end end
end end
context 'when user does not have access to read the noteable' do
it 'responds with 404' do
project = create(:empty_project, :private) { |p| p.add_guest(user) }
issue = create(:issue, :confidential, project: project)
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user),
body: 'Foo'
expect(response).to have_http_status(404)
end
end
context 'when user does not have access to create noteable' do context 'when user does not have access to create noteable' do
let(:private_issue) { create(:issue, project: create(:project, :private)) } let(:private_issue) { create(:issue, project: create(:project, :private)) }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment