Verify that mentioned user can read TODO's note

Merge branch 'security-check-read-note-permissions-before-creating-todo-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2397 Changelog: security

Verify that mentioned user can read TODO's note
fd166c1b · Eugenia Grieff · GitLab Release Tools Bot · 0a0775a3 · fd166c1b · fd166c1b
Commit fd166c1b authored 2 years ago by Eugenia Grieff Committed by GitLab Release Tools Bot 2 years ago
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -369,8 +369,6 @@ class TodoService
  end
  
  def reject_users_without_access(users, parent, target)
-    target = target.noteable if target.is_a?(Note)
-
    if target.respond_to?(:to_ability_name)
      select_users(users, :"read_#{target.to_ability_name}", target)
    else

--- a/spec/services/todo_service_spec.rb
+++ b/spec/services/todo_service_spec.rb
@@ -391,6 +391,7 @@ RSpec.describe TodoService do
      let!(:second_todo) { create(:todo, :assigned, user: john_doe, project: project, target: issue, author: author) }
      let(:confidential_issue) { create(:issue, :confidential, project: project, author: author, assignees: [assignee]) }
      let(:note) { create(:note, project: project, noteable: issue, author: john_doe, note: mentions) }
+      let(:confidential_note) { create(:note, :confidential, project: project, noteable: issue, author: john_doe, note: mentions) }
      let(:addressed_note) { create(:note, project: project, noteable: issue, author: john_doe, note: directly_addressed) }
      let(:note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: mentions) }
      let(:addressed_note_on_commit) { create(:note_on_commit, project: project, author: john_doe, note: directly_addressed) }
@@ -468,6 +469,17 @@ RSpec.describe TodoService do
        should_create_todo(user: john_doe, target: confidential_issue, author: john_doe, action: Todo::DIRECTLY_ADDRESSED, note: addressed_note_on_confidential_issue)
      end
  
+      it 'does not create todo if user can not read confidential note' do
+        service.new_note(confidential_note, john_doe)
+
+        should_not_create_todo(user: non_member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_not_create_todo(user: guest, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: member, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: author, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: assignee, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+        should_create_todo(user: john_doe, target: issue, author: john_doe, action: Todo::MENTIONED, note: confidential_note)
+      end
+
      context 'commits' do
        let(:base_commit_todo_attrs) { { target_id: nil, target_type: 'Commit', author: john_doe } }