Merge branch 'security-commit-private-related-mr' into 'master'

Don't allow non-members to see private related MRs Closes #2787 See merge request gitlab/gitlabhq!2866
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:37:10 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 21:37:10 +0300
commit: 6683298fe6d85bb0785906723663482798418907 (patch)
tree: fafecb6b03174e521879d21f81d8bf39120c51c5 /app/controllers/projects/commit_controller.rb
parent: a43fd6acb697edc897e930dee7c636e4d714565e (diff)
parent: 325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb
index b13c0ae3967..939a09d4fd2 100644
--- a/app/controllers/projects/commit_controller.rb
+++ b/app/controllers/projects/commit_controller.rb
@@ -65,7 +65,11 @@ class Projects::CommitController < Projects::ApplicationController
   # rubocop: enable CodeReuse/ActiveRecord
 
   def merge_requests
-    @merge_requests = @commit.merge_requests.map do |mr|
+    @merge_requests = MergeRequestsFinder.new(
+      current_user,
+      project_id: @project.id,
+      commit_sha: @commit.sha
+    ).execute.map do |mr|
       { iid: mr.iid, path: merge_request_path(mr), title: mr.title }
     end
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:37:10 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 21:37:10 +0300
commit	6683298fe6d85bb0785906723663482798418907 (patch)
tree	fafecb6b03174e521879d21f81d8bf39120c51c5 /app/controllers/projects/commit_controller.rb
parent	a43fd6acb697edc897e930dee7c636e4d714565e (diff)
parent	325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff)