Merge remote-tracking branch 'dev/security-2873-restrict-slash-commands-to-users-who-can-log-in'

author: John T Skarbek <jskarbek@gitlab.com> 2019-08-14 21:11:04 +0300
committer: John T Skarbek <jskarbek@gitlab.com> 2019-08-14 21:11:04 +0300
commit: 2b2efbc609a85093238ee3bec94358670021d0e5 (patch)
tree: 671ff737363c10b61e4a970e1c108319cc07e37d /app/models/project_services
parent: affa81eb79ec0ca01a1a0c2733cc5cdffb3b9ff1 (diff)
parent: 7b52cff4896c8f681aea34fb273209400cf3e06e (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/app/models/project_services/slash_commands_service.rb b/app/models/project_services/slash_commands_service.rb
index 5f5cff97808..cb16ad75d14 100644
--- a/app/models/project_services/slash_commands_service.rb
+++ b/app/models/project_services/slash_commands_service.rb
@@ -35,6 +35,8 @@ class SlashCommandsService < Service
     chat_user = find_chat_user(params)
 
     if chat_user&.user
+      return Gitlab::SlashCommands::Presenters::Access.new.access_denied unless chat_user.user.can?(:use_slash_commands)
+
       Gitlab::SlashCommands::Command.new(project, chat_user, params).execute
     else
       url = authorize_chat_name_url(params)
author	John T Skarbek <jskarbek@gitlab.com>	2019-08-14 21:11:04 +0300
committer	John T Skarbek <jskarbek@gitlab.com>	2019-08-14 21:11:04 +0300
commit	2b2efbc609a85093238ee3bec94358670021d0e5 (patch)
tree	671ff737363c10b61e4a970e1c108319cc07e37d /app/models/project_services
parent	affa81eb79ec0ca01a1a0c2733cc5cdffb3b9ff1 (diff)
parent	7b52cff4896c8f681aea34fb273209400cf3e06e (diff)