......@@ -78,7 +78,7 @@ module NotesActions
# rubocop:disable Gitlab/ModuleWithInstanceVariables
def update
@note = Notes::UpdateService.new(project, current_user, note_params).execute(note)
@note = Notes::UpdateService.new(project, current_user, update_note_params).execute(note)
prepare_notes_for_rendering([@note])
respond_to do |format|
......@@ -216,6 +216,10 @@ module NotesActions
)
end
def update_note_params
params.require(:note).permit(:note)
end
def set_polling_interval_header
Gitlab::PollingInterval.set_header(response, interval: 6_000)
end
......
......
---
title: Only allow modification of content when note is edited
merge_request:
author:
type: security
......@@ -431,7 +431,8 @@ describe Projects::NotesController do
end
describe 'PUT update' do
context "should update the note with a valid issue" do
context "updates the note" do
context 'with a valid issue' do
let(:request_params) do
{
namespace_id: project.namespace,
......@@ -449,10 +450,58 @@ describe Projects::NotesController do
project.add_developer(note.author)
end
it "updates the note" do
it "updates the note content" do
expect { put :update, params: request_params }.to change { note.reload.note }
end
end
context "when the note is edited and a different issue is targeted" do
##
# We are editing a note originally in a public issue of a public project,
# but the edit can be intercepted to change the target to a different, even confidential, issue
# see https://gitlab.com/gitlab-org/gitlab-ce/issues/57153
##
let!(:confidential_issue) { create(:issue, :confidential, project: project) }
let(:new_content) { "splendiferous new content" }
let(:request_params) do
{
namespace_id: project.namespace,
project_id: project,
id: note,
format: :json,
note: {
note: new_content,
noteable_id: confidential_issue.id
}
}
end
before do
sign_in(note.author)
project.add_developer(note.author)
put :update, params: request_params
end
it 'returns success' do
expect(response.status).to eq 200
end
it 'edits the note content' do
expect(note.reload.note).to eq new_content
end
it 'does not create a note in the confidential issue' do
expect(confidential_issue.reload.notes).to be_empty
end
it "does not modify the note's issue" do
expect(note.noteable_id).to match note.reload.noteable_id
end
end
end
context "doesnt update the note" do
let(:issue) { create(:issue, :confidential, project: project) }
let(:note) { create(:note, noteable: issue, project: project) }
......
......