Commit a2338de0 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Prevent award_emoji to notes not visible to user

When the parent noteable is not visible to the user (e.g. confidential)
we prevent the user from adding emoji reactions to notes
parent 7a10ef6e
...@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy ...@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
prevent :read_note prevent :read_note
prevent :admin_note prevent :admin_note
prevent :resolve_note prevent :resolve_note
prevent :award_emoji
end end
rule { is_author }.policy do rule { is_author }.policy do
......
---
title: Prevent awarding emojis to notes whose parent is not visible to user
merge_request:
author:
type: security
...@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do ...@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_disallowed(:admin_note) expect(policy).to be_disallowed(:admin_note)
expect(policy).to be_disallowed(:resolve_note) expect(policy).to be_disallowed(:resolve_note)
expect(policy).to be_disallowed(:read_note) expect(policy).to be_disallowed(:read_note)
expect(policy).to be_disallowed(:award_emoji)
end end
end end
...@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do ...@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
expect(policy).to be_allowed(:admin_note) expect(policy).to be_allowed(:admin_note)
expect(policy).to be_allowed(:resolve_note) expect(policy).to be_allowed(:resolve_note)
expect(policy).to be_allowed(:read_note) expect(policy).to be_allowed(:read_note)
expect(policy).to be_allowed(:award_emoji)
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment