Commit 518fe9a1 authored by Alexandru Croitor's avatar Alexandru Croitor

Let non-members set confidential flag on issue

When creating an issue a logged in user should be able to set
the issue as confidential in a public project. This facilitates
the flow of reporting security issues as confidential in open source
public projects.

Changelog: fixed
parent 20ced226
...@@ -69,6 +69,14 @@ class IssuePolicy < IssuablePolicy ...@@ -69,6 +69,14 @@ class IssuePolicy < IssuablePolicy
rule { persisted & can?(:admin_issue) }.policy do rule { persisted & can?(:admin_issue) }.policy do
enable :set_issue_metadata enable :set_issue_metadata
end end
rule { can?(:set_issue_metadata) }.policy do
enable :set_confidentiality
end
rule { ~persisted & can?(:create_issue) }.policy do
enable :set_confidentiality
end
end end
IssuePolicy.prepend_mod_with('IssuePolicy') IssuePolicy.prepend_mod_with('IssuePolicy')
...@@ -51,9 +51,12 @@ class IssuableBaseService < ::BaseProjectService ...@@ -51,9 +51,12 @@ class IssuableBaseService < ::BaseProjectService
params.delete(:canonical_issue_id) params.delete(:canonical_issue_id)
params.delete(:project) params.delete(:project)
params.delete(:discussion_locked) params.delete(:discussion_locked)
params.delete(:confidential)
end end
# confidential attribute is a special type of metadata and needs to be allowed to be set
# by non-members on issues in public projects so that security issues can be reported as confidential.
params.delete(:confidential) unless can?(current_user, :set_confidentiality, issuable)
filter_assignees(issuable) filter_assignees(issuable)
filter_milestone filter_milestone
filter_labels filter_labels
......
- project = local_assigns.fetch(:project) - project = local_assigns.fetch(:project)
- issuable = local_assigns.fetch(:issuable) - issuable = local_assigns.fetch(:issuable)
- presenter = local_assigns.fetch(:presenter) - presenter = local_assigns.fetch(:presenter)
- return unless can?(current_user, :"set_#{issuable.to_ability_name}_metadata", issuable)
- has_due_date = issuable.has_attribute?(:due_date) - has_due_date = issuable.has_attribute?(:due_date)
- form = local_assigns.fetch(:form) - form = local_assigns.fetch(:form)
- if issuable.respond_to?(:confidential) - if issuable.respond_to?(:confidential) && can?(current_user, :set_confidentiality, issuable)
.form-group.row .form-group.row
.offset-sm-2.col-sm-10 .offset-sm-2.col-sm-10
.form-check .form-check
...@@ -15,8 +12,9 @@ ...@@ -15,8 +12,9 @@
= form.label :confidential, class: 'form-check-label' do = form.label :confidential, class: 'form-check-label' do
This issue is confidential and should only be visible to team members with at least Reporter access. This issue is confidential and should only be visible to team members with at least Reporter access.
%hr - if can?(current_user, :"set_#{issuable.to_ability_name}_metadata", issuable)
.row %hr
.row
%div{ class: (has_due_date ? "col-lg-6" : "col-12") } %div{ class: (has_due_date ? "col-lg-6" : "col-12") }
.form-group.row.merge-request-assignee .form-group.row.merge-request-assignee
= render "shared/issuable/form/metadata_issuable_assignee", issuable: issuable, form: form, has_due_date: has_due_date = render "shared/issuable/form/metadata_issuable_assignee", issuable: issuable, form: form, has_due_date: has_due_date
......
...@@ -38,5 +38,6 @@ class EpicPolicy < BasePolicy ...@@ -38,5 +38,6 @@ class EpicPolicy < BasePolicy
rule { can?(:admin_epic) }.policy do rule { can?(:admin_epic) }.policy do
enable :set_epic_metadata enable :set_epic_metadata
enable :set_confidentiality
end end
end end
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment