Skip to content
Unverified Commit b0ebfa3d authored by Nick Thomas's avatar Nick Thomas
Browse files

Send TODOs for comments on commits correctly

At present, the TodoService uses the `:read_project` ability to decide
whether a user can read a note on a commit. However, commits can have a
visibility level that is more restricted than the project, so this is a
security issue.

This commit changes the code to use the `:read_commit` ability in this
case instead, which ensures TODOs are only generated for commit notes
if the users can see the commit.
parent 4a6d22ba
Loading
Loading
Loading