diff options
Diffstat (limited to 'app/policies/issuable_policy.rb')
| -rw-r--r-- | app/policies/issuable_policy.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index f0aa16d2ecf..3f6d7d04667 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -3,6 +3,19 @@ class IssuablePolicy < BasePolicy condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? } + # We aren't checking `:read_issue` or `:read_merge_request` in this case + # because it could be possible for a user to see an issuable-iid + # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be allowed + # to read the actual issue after a more expensive `:read_issue` check. + # + # `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee. + condition(:visible_to_user, score: 4) do + Project.where(id: @subject.project) + .public_or_visible_to_user(@user) + .with_feature_available_for_user(@subject, @user) + .any? + end + condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) } desc "User is the assignee or author" |