Skip to content

Award emojis API for an internal note is accessible to users without access to the note

Steps to reproduce:

  1. Create an internal note and award an emoji to it
  2. As a user with access to the issue but not the note, request /api/v4/projects/:id/issues/:issue_iid/notes/:note_id/award_emoji
  3. See emojis awarded to the note

This happens because in the award emoji API, we only check the read_xxx access to the parent noteable: https://gitlab.com/gitlab-org/gitlab/-/blob/dd1e70d3676891025534dc4a1e89ca9383178fe7/lib/api/award_emoji.rb#L104-105

This requires a note_id so it is not easy to exploit, but you can get note_id from email notifications if the user previously had access to the note.