Only assign merge params when allowed

When a user updates a merge request coming from a fork, they should not be able to set `force_remove_source_branch` if they cannot push code to the source project. Otherwise developers of the target project could remove the source branch of the source project by setting this flag through the API.
author: Bob Van Landuyt <bob@vanlanduyt.co> 2019-09-25 19:25:40 +0300
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2019-10-24 13:19:56 +0300
commit: 20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (patch)
tree: 9a6c1fc7836513723d2948ec1cd53dc268b25bf7 /app/models
parent: dc0622dbe3cd552abca4107557c6c09edb23625c (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index cd8ede3905a..67f666a89b2 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -69,6 +69,14 @@ class MergeRequest < ApplicationRecord
   has_many :merge_request_assignees
   has_many :assignees, class_name: "User", through: :merge_request_assignees
 
+  KNOWN_MERGE_PARAMS = [
+    :auto_merge_strategy,
+    :should_remove_source_branch,
+    :force_remove_source_branch,
+    :commit_message,
+    :squash_commit_message,
+    :sha
+  ].freeze
   serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize
 
   after_create :ensure_merge_request_diff
author	Bob Van Landuyt <bob@vanlanduyt.co>	2019-09-25 19:25:40 +0300
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2019-10-24 13:19:56 +0300
commit	20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (patch)
tree	9a6c1fc7836513723d2948ec1cd53dc268b25bf7 /app/models
parent	dc0622dbe3cd552abca4107557c6c09edb23625c (diff)