Merge branch 'issue_39176' into 'master'

Render 404 when polling commit notes without having permissions Closes #39176 See merge request gitlab-org/gitlab-ce!15140

Merge branch 'issue_39176' into 'master'
Render 404 when polling commit notes without having permissions Closes #39176 See merge request gitlab-org/gitlab-ce!15140
3971f955 · Douwe Maan · 539dbef0 · 3ae5f790 · 3971f955 · 3971f955
Commit 3971f955 authored Nov 03, 2017 by Douwe Maan
3 changed files
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -4,6 +4,7 @@ module NotesActions
  included do
    before_action :set_polling_interval_header, only: [:index]
+    before_action :noteable, only: :index
    before_action :authorize_admin_note!, only: [:update, :destroy]
    before_action :note_project, only: [:create]
  end
@@ -188,7 +189,7 @@ module NotesActions
  end
  def noteable
-    @noteable ||= notes_finder.target
+    @noteable ||= notes_finder.target || render_404
  end
  def last_fetched_at

--- a/changelogs/unreleased/issue_39176.yml
+++ b/changelogs/unreleased/issue_39176.yml
+---
+title: Render 404 when polling commit notes without having permissions
+merge_request:
+author:
+type: fixed
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -105,6 +105,19 @@ describe Projects::NotesController do
          expect(note_json[:discussion_html]).to be_nil
          expect(note_json[:diff_discussion_html]).to be_nil
        end
+        context 'when user cannot read commit' do
+          before do
+            allow(Ability).to receive(:allowed?).and_call_original
+            allow(Ability).to receive(:allowed?).with(user, :download_code, project).and_return(false)
+          end
+          it 'renders 404' do
+            get :index, params
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
      end
    end