Render 404 when polling commit notes without having permissions

3ae5f790 · Felipe Artur · bfb5107a · 3ae5f790 · 3ae5f790 · 3ae5f790
Commit 3ae5f790 authored 7 years ago by Felipe Artur
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -4,6 +4,7 @@ module NotesActions
  
  included do
    before_action :set_polling_interval_header, only: [:index]
+    before_action :noteable, only: :index
    before_action :authorize_admin_note!, only: [:update, :destroy]
    before_action :note_project, only: [:create]
  end
@@ -188,7 +189,7 @@ module NotesActions
  end
  
  def noteable
-    @noteable ||= notes_finder.target
+    @noteable ||= notes_finder.target || render_404
  end
  
  def last_fetched_at

--- a/changelogs/unreleased/issue_39176.yml
+++ b/changelogs/unreleased/issue_39176.yml
+---
+title: Render 404 when polling commit notes without having permissions
+merge_request:
+author:
+type: fixed
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -105,6 +105,19 @@ describe Projects::NotesController do
          expect(note_json[:discussion_html]).to be_nil
          expect(note_json[:diff_discussion_html]).to be_nil
        end
+
+        context 'when user cannot read commit' do
+          before do
+            allow(Ability).to receive(:allowed?).and_call_original
+            allow(Ability).to receive(:allowed?).with(user, :download_code, project).and_return(false)
+          end
+
+          it 'renders 404' do
+            get :index, params
+
+            expect(response).to have_gitlab_http_status(404)
+          end
+        end
      end
    end