Skip to content

Reporter+ role required to view and create internal notes

Plan:Certify

Problem to solve

Limiting the visibility of internal notes to Reporter and above (and not Authors that don't belong to the project and Guests) gives organizations assurance that information in these notes will only be visible to members of their org.

By default, Internal notes should not be displayed to Guest Users even if they created the issue. Internal notes should be reserved to a Reporter+ user.

Guest Users should not be able to create or view any internal notes

  • as part of the fix, narrow also permission check in users_that_can_read_internal_notes to use rather can_read_confidential_note instead of reporter_access - !90073 (diffs, comment 1000963762)

Steps to reproduce

  1. Create an issue as a Guest user
  2. Post an internal note from another Reporter+ user
  3. Check if the Guest user see the internal notes from the Reporter+ user
  4. With the Reporter+ user, reply to the Guest user internal note
  5. Check if the Guest user see the reply from the Reporter+ user

Screenshot_2022-05-20_at_15.51.06

Example Project

https://gitlab.com/madou-stories/support-team/customers/bank-a/-/issues/2

What is the current bug behavior?

  1. The Guest user see the internal notes from others
  2. The Guest user see the replies of their internal notes

What is the expected correct behavior?

  • Guest users cannot create or view any internal notes
  • Assignees of issues cannot create or view internal notes unless already reporter+
  • Authors cannot create or view internal notes unless already reporter+

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Sarah Waldner