Add latest changes from gitlab-org/security/gitlab@15-10-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:36 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:49 +0300
commit: 56ff640a2f919e9d0e450964081381a8eccef5e4 (patch)
tree: 5fd092431f067f6e2d21f887efa8dd0194a89f5b /app/services
parent: 3dd03a1a19e6b788ec1296044e28f7727e5149a6 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/app/services/merge_requests/push_options_handler_service.rb b/app/services/merge_requests/push_options_handler_service.rb
index 235dc6678df..e9abafceb13 100644
--- a/app/services/merge_requests/push_options_handler_service.rb
+++ b/app/services/merge_requests/push_options_handler_service.rb
@@ -54,7 +54,15 @@ module MergeRequests
     end
 
     def validate_service
-      errors << 'User is required' if current_user.nil?
+      if current_user.nil?
+        errors << 'User is required'
+        return
+      end
+
+      unless current_user&.can?(:read_code, target_project)
+        errors << 'User access was denied'
+        return
+      end
 
       unless target_project.merge_requests_enabled?
         errors << "Merge requests are not enabled for project #{target_project.full_path}"
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:36 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:49 +0300
commit	56ff640a2f919e9d0e450964081381a8eccef5e4 (patch)
tree	5fd092431f067f6e2d21f887efa8dd0194a89f5b /app/services
parent	3dd03a1a19e6b788ec1296044e28f7727e5149a6 (diff)