Reporter+ role required to view and create internal notes
Plan:Certify
Problem to solve
Limiting the visibility of internal notes to Reporter and above (and not Authors that don't belong to the project and Guests) gives organizations assurance that information in these notes will only be visible to members of their org.
By default, Internal notes should not be displayed to Guest Users
even if they created the issue. Internal notes should be reserved to a Reporter+
user.
Guest Users
should not be able to create or view any internal notes
-
as part of the fix, narrow also permission check in users_that_can_read_internal_notes
to use rathercan_read_confidential_note
instead ofreporter_access
- !90073 (diffs, comment 1000963762)
Steps to reproduce
- Create an issue as a
Guest
user - Post an internal note from another
Reporter+
user - Check if the
Guest
user see the internal notes from theReporter+
user - With the
Reporter+
user, reply to theGuest
user internal note - Check if the
Guest
user see the reply from theReporter+
user
Example Project
https://gitlab.com/madou-stories/support-team/customers/bank-a/-/issues/2
What is the current bug behavior?
- The
Guest
user see the internal notes from others - The
Guest
user see the replies of their internal notes
What is the expected correct behavior?
- Guest users cannot create or view any internal notes
- Assignees of issues cannot create or view internal notes unless already reporter+
- Authors cannot create or view internal notes unless already reporter+
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)