diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-11-10 13:23:44 +0300 |
---|---|---|
committer | Alejandro RodrÃguez <alejorro70@gmail.com> | 2016-11-29 03:24:19 +0300 |
commit | 3d7704ae5f62446b8b399c796c64d1f527666376 (patch) | |
tree | 05790324eef305e2c2198366c7faa3767b5db8d8 /app/services/labels | |
parent | ec5d0472288cac599d76a27870804e86fe29ffaf (diff) |
Merge branch 'zj-fix-label-creation-non-members' into 'security'
Fix label creation non members
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416
See merge request !2006
Diffstat (limited to 'app/services/labels')
-rw-r--r-- | app/services/labels/find_or_create_service.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/app/services/labels/find_or_create_service.rb b/app/services/labels/find_or_create_service.rb index d622f9edd33..cf4f7606c94 100644 --- a/app/services/labels/find_or_create_service.rb +++ b/app/services/labels/find_or_create_service.rb @@ -22,9 +22,14 @@ module Labels ).execute(skip_authorization: skip_authorization) end + # Only creates the label if current_user can do so, if the label does not exist + # and the user can not create the label, nil is returned def find_or_create_label new_label = available_labels.find_by(title: title) - new_label ||= project.labels.create(params) + + if new_label.nil? && (skip_authorization || Ability.allowed?(current_user, :admin_label, project)) + new_label = project.labels.create(params) + end new_label end |