Check notes permissions (confidential notes) when sending notifications
What does this MR do?
Part of #207469 (closed)
We are introducing confidential notes and we have to make sure users who can't see them don't receive notifications.
The permissions check happens in https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/notification_recipient.rb#L97 . Method has_access?
checks access based on target
. The target for note used to be noteable
. Now, we however need to use note
as we need to check also note confidentiality.
We can't simply override target
method as it is used for other methods (eg. participants or subscribers.
Therefore I introduced a new method permissions_target
.
This MR also fixes permissions for admins as they should be allowed to see and manage confidential notes.
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- [-] Documentation (if required)
-
Code review guidelines - [-] Merge request performance guidelines
-
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Edited by Justin Farris