-
- Downloads
Prevent unauthorised comments on merge requests
* Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry
Showing
- app/policies/issue_policy.rb 5 additions, 4 deletionsapp/policies/issue_policy.rb
- app/policies/merge_request_policy.rb 6 additions, 0 deletionsapp/policies/merge_request_policy.rb
- changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml 3 additions, 0 deletions...s/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
- spec/controllers/projects/notes_controller_spec.rb 240 additions, 71 deletionsspec/controllers/projects/notes_controller_spec.rb
- spec/policies/issue_policy_spec.rb 28 additions, 0 deletionsspec/policies/issue_policy_spec.rb
- spec/policies/merge_request_policy_spec.rb 89 additions, 0 deletionsspec/policies/merge_request_policy_spec.rb
Please register or sign in to comment