From ed6c8238f3524feeab187b607362806ed1c666ad Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@selenight.nl>
Date: Mon, 25 Jul 2016 22:40:44 -0600
Subject: [PATCH] Add access checks for diff note and discussion resolution

---
 app/models/ability.rb    | 8 +++++++-
 app/models/discussion.rb | 8 ++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index f33c8d61d3f..ac3bf441c32 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -257,6 +257,7 @@ class Ability
         :create_merge_request,
         :create_wiki,
         :push_code,
+        :resolve_note,
         :create_container_image,
         :update_container_image,
         :create_environment,
@@ -426,7 +427,8 @@ class Ability
         rules += [
           :read_note,
           :update_note,
-          :admin_note
+          :admin_note,
+          :resolve_note
         ]
       end
 
@@ -434,6 +436,10 @@ class Ability
         rules += project_abilities(user, note.project)
       end
 
+      if note.for_merge_request? && note.noteable.author == user
+        rules << :resolve_note
+      end
+
       rules
     end
 
diff --git a/app/models/discussion.rb b/app/models/discussion.rb
index 64116d225ae..cc586933112 100644
--- a/app/models/discussion.rb
+++ b/app/models/discussion.rb
@@ -63,6 +63,14 @@ class Discussion
     notes.any?(&:to_be_resolved?)
   end
 
+  def can_resolve?(current_user)
+    return false unless current_user
+    return false unless resolvable?
+
+    current_user == self.noteable.author ||
+      can?(current_user, :push_code, self.project)
+  end
+
   def resolve!(current_user)
     notes.each do |note|
       note.resolve!(current_user) if note.resolvable?
-- 
GitLab