Check notes permissions (confidential notes) when sending notifications (!27782) · Merge requests · GitLab.org / GitLab · GitLab

Jarka Košanová requested to merge recipients-confidential-notes into master Mar 23, 2020

What does this MR do?

Part of #207469 (closed)

We are introducing confidential notes and we have to make sure users who can't see them don't receive notifications.

The permissions check happens in https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/notification_recipient.rb#L97 . Method has_access? checks access based on target. The target for note used to be noteable. Now, we however need to use note as we need to check also note confidentiality.

We can't simply override target method as it is used for other methods (eg. participants or subscribers.

Therefore I introduced a new method permissions_target.

This MR also fixes permissions for admins as they should be allowed to see and manage confidential notes.

Does this MR meet the acceptance criteria?

Conformity

[-] Changelog entry
[-] Documentation (if required)
Code review guidelines
[-] Merge request performance guidelines
Style guides
[-] Database guides
[-] Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.

Edited Oct 16, 2020 by Justin Farris