Prevent award_emoji to notes not visible to user

When the parent noteable is not visible to the user (e.g. confidential) we prevent the user from adding emoji reactions to notes

Prevent award_emoji to notes not visible to user
9f67b886 · Heinrich Lee Yu · Yorick Peterse · 6c0758f6 · 9f67b886 · 9f67b886
Unverified Commit 9f67b886 authored 6 years ago by Heinrich Lee Yu Committed by Yorick Peterse 6 years ago
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,6 +18,7 @@ class NotePolicy < BasePolicy
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
+    prevent :award_emoji
  end
  
  rule { is_author }.policy do

--- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+---
+title: Prevent awarding emojis to notes whose parent is not visible to user
+merge_request:
+author:
+type: security
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -28,6 +28,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_disallowed(:admin_note)
          expect(policy).to be_disallowed(:resolve_note)
          expect(policy).to be_disallowed(:read_note)
+          expect(policy).to be_disallowed(:award_emoji)
        end
      end
  
@@ -40,6 +41,7 @@ describe NotePolicy, mdoels: true do
          expect(policy).to be_allowed(:admin_note)
          expect(policy).to be_allowed(:resolve_note)
          expect(policy).to be_allowed(:read_note)
+          expect(policy).to be_allowed(:award_emoji)
        end
      end
    end