EE port of gitlabhq!2824

Remove unneeded override for notes build service. Check on noteable is already done outside this method.

EE port of gitlabhq!2824
Remove unneeded override for notes build service. Check on noteable is already done outside this method.
e173fcca · Heinrich Lee Yu · Heinrich Lee Yu · c9868d15 · e173fcca · e173fcca
Commit e173fcca authored Jan 28, 2019 by Heinrich Lee Yu Committed by Heinrich Lee Yu Jan 28, 2019
13 changed files
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -18,6 +18,7 @@ class IssuePolicy < IssuablePolicy
    prevent :read_issue_iid
    prevent :update_issue
    prevent :admin_issue
+    prevent :create_note
  end

  rule { locked }.policy do

--- a/app/policies/personal_snippet_policy.rb
+++ b/app/policies/personal_snippet_policy.rb
@@ -28,5 +28,8 @@ class PersonalSnippetPolicy < BasePolicy

  rule { anonymous }.prevent :comment_personal_snippet

-  rule { can?(:comment_personal_snippet) }.enable :award_emoji
+  rule { can?(:comment_personal_snippet) }.policy do
+    enable :create_note
+    enable :award_emoji
+  end
 end
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -43,6 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
    enable :update_project_snippet
    enable :admin_project_snippet
  end
+
+  rule { ~can?(:read_project_snippet) }.prevent :create_note
 end

 ProjectSnippetPolicy.prepend(EE::ProjectSnippetPolicy)
--- a/app/services/notes/build_service.rb
+++ b/app/services/notes/build_service.rb
@@ -2,8 +2,6 @@

 module Notes
  class BuildService < ::BaseService
-    prepend ::EE::Notes::BuildService # rubocop: disable Cop/InjectEnterpriseEditionModule
-
    def execute
      should_resolve = false
      in_reply_to_discussion_id = params.delete(:in_reply_to_discussion_id)
@@ -11,7 +9,7 @@ module Notes
      if in_reply_to_discussion_id.present?
        discussion = find_discussion(in_reply_to_discussion_id)

-        unless discussion
+        unless discussion && can?(current_user, :create_note, discussion.noteable)
          note = Note.new
          note.errors.add(:base, 'Discussion to reply to cannot be found')
          return note
@@ -36,19 +34,8 @@ module Notes
      if project
        project.notes.find_discussion(discussion_id)
      else
-        discussion = Note.find_discussion(discussion_id)
-        noteable = discussion.noteable
-
-        return nil unless noteable_without_project?(noteable)
-
-        discussion
+        Note.find_discussion(discussion_id)
      end
    end
-
-    def noteable_without_project?(noteable)
-      return true if noteable.is_a?(PersonalSnippet) && can?(current_user, :comment_personal_snippet, noteable)
-
-      false
-    end
  end
 end
--- a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
+++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
+---
+title: Prevent unauthorized replies when discussion is locked or confidential
+merge_request:
+author:
+type: security
--- a/ee/app/services/ee/notes/build_service.rb
+++ b/ee/app/services/ee/notes/build_service.rb
-# frozen_string_literal: true
-
-module EE
-  module Notes
-    module BuildService
-      extend ActiveSupport::Concern
-      extend ::Gitlab::Utils::Override
-
-      override :noteable_without_project?
-      def noteable_without_project?(noteable)
-        return true if noteable.is_a?(Epic) && can?(current_user, :create_note, noteable)
-
-        super
-      end
-    end
-  end
-end
--- a/lib/gitlab/email/handler/reply_processing.rb
+++ b/lib/gitlab/email/handler/reply_processing.rb
@@ -56,7 +56,7 @@ module Gitlab
            raise ProjectNotFound unless author.can?(:read_project, project)
          end

-          raise UserNotAuthorizedError unless author.can?(permission, project || noteable)
+          raise UserNotAuthorizedError unless author.can?(permission, try(:noteable) || project)
        end

        def verify_record!(record:, invalid_exception:, record_name:)

--- a/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
+++ b/spec/lib/gitlab/email/handler/create_note_handler_spec.rb
@@ -118,6 +118,43 @@ describe Gitlab::Email::Handler::CreateNoteHandler do
    end
  end

+  shared_examples "checks permissions on noteable" do
+    context "when user has access" do
+      before do
+        project.add_reporter(user)
+      end
+
+      it "creates a comment" do
+        expect { receiver.execute }.to change { noteable.notes.count }.by(1)
+      end
+    end
+
+    context "when user does not have access" do
+      it "raises UserNotAuthorizedError" do
+        expect { receiver.execute }.to raise_error(Gitlab::Email::UserNotAuthorizedError)
+      end
+    end
+  end
+
+  context "when discussion is locked" do
+    before do
+      noteable.update_attribute(:discussion_locked, true)
+    end
+
+    it_behaves_like "checks permissions on noteable"
+  end
+
+  context "when issue is confidential" do
+    let(:issue) { create(:issue, project: project) }
+    let(:note) { create(:note, noteable: issue, project: project) }
+
+    before do
+      issue.update_attribute(:confidential, true)
+    end
+
+    it_behaves_like "checks permissions on noteable"
+  end
+
  context "when everything is fine" do
    before do
      setup_attachment

--- a/spec/models/sent_notification_spec.rb
+++ b/spec/models/sent_notification_spec.rb
@@ -48,7 +48,7 @@ describe SentNotification do
    let(:note) { create(:diff_note_on_merge_request) }

    it 'creates a new SentNotification' do
-      expect { described_class.record_note(note, user.id) }.to change { described_class.count }.by(1)
+      expect { described_class.record_note(note, note.author.id) }.to change { described_class.count }.by(1)
    end
  end


--- a/spec/policies/personal_snippet_policy_spec.rb
+++ b/spec/policies/personal_snippet_policy_spec.rb
@@ -14,6 +14,13 @@ describe PersonalSnippetPolicy do
    ]
  end

+  let(:comment_permissions) do
+    [
+      :comment_personal_snippet,
+      :create_note
+    ]
+  end
+
  def permissions(user)
    described_class.new(user, snippet)
  end
@@ -26,7 +33,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -37,7 +44,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_allowed(:comment_personal_snippet)
+        is_expected.to be_allowed(*comment_permissions)
        is_expected.to be_allowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -48,7 +55,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_allowed(:comment_personal_snippet)
+        is_expected.to be_allowed(*comment_permissions)
        is_expected.to be_allowed(:award_emoji)
        is_expected.to be_allowed(*author_permissions)
      end
@@ -63,7 +70,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_disallowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -74,7 +81,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_allowed(:comment_personal_snippet)
+        is_expected.to be_allowed(*comment_permissions)
        is_expected.to be_allowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -85,7 +92,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_disallowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -96,7 +103,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_allowed(:comment_personal_snippet)
+        is_expected.to be_allowed(*comment_permissions)
        is_expected.to be_allowed(:award_emoji)
        is_expected.to be_allowed(*author_permissions)
      end
@@ -111,7 +118,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_disallowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -122,7 +129,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_disallowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -133,7 +140,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_disallowed(:read_personal_snippet)
-        is_expected.to be_disallowed(:comment_personal_snippet)
+        is_expected.to be_disallowed(*comment_permissions)
        is_expected.to be_disallowed(:award_emoji)
        is_expected.to be_disallowed(*author_permissions)
      end
@@ -144,7 +151,7 @@ describe PersonalSnippetPolicy do

      it do
        is_expected.to be_allowed(:read_personal_snippet)
-        is_expected.to be_allowed(:comment_personal_snippet)
+        is_expected.to be_allowed(*comment_permissions)
        is_expected.to be_allowed(:award_emoji)
        is_expected.to be_allowed(*author_permissions)
      end

--- a/spec/policies/project_snippet_policy_spec.rb
+++ b/spec/policies/project_snippet_policy_spec.rb
@@ -41,7 +41,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(regular_user, :public) }

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -50,7 +50,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(external_user, :public) }

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -70,7 +70,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(regular_user, :internal) }

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -79,7 +79,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(external_user, :internal) }

      it do
-        expect_disallowed(:read_project_snippet)
+        expect_disallowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -92,7 +92,7 @@ describe ProjectSnippetPolicy do
      end

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -122,7 +122,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(regular_user, :private) }

      it do
-        expect_disallowed(:read_project_snippet)
+        expect_disallowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -133,7 +133,7 @@ describe ProjectSnippetPolicy do
      subject { described_class.new(regular_user, snippet) }

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_allowed(*author_permissions)
      end
    end
@@ -146,7 +146,7 @@ describe ProjectSnippetPolicy do
      end

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -159,7 +159,7 @@ describe ProjectSnippetPolicy do
      end

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_disallowed(*author_permissions)
      end
    end
@@ -178,7 +178,7 @@ describe ProjectSnippetPolicy do
      subject { abilities(create(:admin), :private) }

      it do
-        expect_allowed(:read_project_snippet)
+        expect_allowed(:read_project_snippet, :create_note)
        expect_allowed(*author_permissions)
      end
    end

--- a/spec/services/notes/build_service_spec.rb
+++ b/spec/services/notes/build_service_spec.rb
@@ -45,6 +45,15 @@ describe Notes::BuildService do
        end
      end

+      context 'when user has no access to discussion' do
+        it 'sets an error' do
+          another_user = create(:user)
+          new_note = described_class.new(project, another_user, note: 'Test', in_reply_to_discussion_id: note.discussion_id).execute
+
+          expect(new_note.errors[:base]).to include('Discussion to reply to cannot be found')
+        end
+      end
+
      context 'personal snippet note' do
        def reply(note, user = nil)
          user ||= create(:user)

--- a/spec/services/notes/create_service_spec.rb
+++ b/spec/services/notes/create_service_spec.rb
@@ -127,6 +127,10 @@ describe Notes::CreateService do
        create(:diff_note_on_merge_request, noteable: merge_request, project: project_with_repo)
      end

+      before do
+        project_with_repo.add_maintainer(user)
+      end
+
      context 'when eligible to have a note diff file' do
        let(:new_opts) do
          opts.merge(in_reply_to_discussion_id: nil,