diff options
author | Phil Hughes <me@iamphill.com> | 2016-09-02 11:28:25 +0300 |
---|---|---|
committer | Phil Hughes <me@iamphill.com> | 2016-09-13 10:44:59 +0300 |
commit | b3d75ac5135130522f253d4b09f72a7c0a8e2f80 (patch) | |
tree | 506fc31ec850b51eaf7ac389736539607bbd065e /app/controllers/projects/group_links_controller.rb | |
parent | e477ad44565dbe69e3f0200f4f4f7bebbd48cb15 (diff) |
Return 403 if user can't update group
Diffstat (limited to 'app/controllers/projects/group_links_controller.rb')
-rw-r--r-- | app/controllers/projects/group_links_controller.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 57c54bf625a..b5e314dced3 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -21,6 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController def update @group_link = @project.project_group_links.find(params[:id]) + return render_403 unless can?(current_user, action_member_permission(:admin, @group_link.group), @group_link.group) @group_link.update_attributes(group_link_params) end |