Award emojis API for an internal note is accessible to users without access to the note
Steps to reproduce:
- Create an internal note and award an emoji to it
- As a user with access to the issue but not the note, request
/api/v4/projects/:id/issues/:issue_iid/notes/:note_id/award_emoji
- See emojis awarded to the note
This happens because in the award emoji API, we only check the read_xxx
access to the parent noteable: https://gitlab.com/gitlab-org/gitlab/-/blob/dd1e70d3676891025534dc4a1e89ca9383178fe7/lib/api/award_emoji.rb#L104-105
This requires a note_id
so it is not easy to exploit, but you can get note_id
from email notifications if the user previously had access to the note.