• Alex Kalderimis's avatar
    Prevent unauthorised comments on merge requests · d30a90a3
    Alex Kalderimis authored
    * Prevent creating notes on inaccessible MRs
    
    This applies the notes rules at the MR scope. Rather than adding extra
    rules to the Project level policy, preventing :create_note here is
    better since it only prevents creating notes on MRs.
    
    * Prevent creating notes in inaccessible Issues
    
    without this policy, non-team-members are allowed to comment on issues
    even when the project has the private-issues policy set. This means that
    without this change, users are allowed to comment on issues that they
    cannot read.
    
    * Add CHANGELOG entry
    d30a90a3
notes_controller_spec.rb 25.8 KB