diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:10 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:34:10 +0300 |
commit | e20fb7cb395e9c6594a098eddd816079259f64d9 (patch) | |
tree | d111292dbd7348f0c87146444259593ebfe64f3f /app | |
parent | 4ed9802a40a992bfd5c8bf2c41499d54e44aff5a (diff) | |
parent | 1c7c91806d4b9866f512f50f36c9c74b48cb8229 (diff) |
Merge branch 'security-mr-head-pipeline-leak' into 'master'
Permission fix for MergeRequestsController#pipeline_status
See merge request gitlab/gitlabhq!3274
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index 10a9a1e8998..75d4a24b559 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -189,7 +189,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo def pipeline_status render json: PipelineSerializer .new(project: @project, current_user: @current_user) - .represent_status(@merge_request.head_pipeline) + .represent_status(head_pipeline) end def ci_environments_status @@ -239,6 +239,13 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo private + def head_pipeline + strong_memoize(:head_pipeline) do + pipeline = @merge_request.head_pipeline + pipeline if can?(current_user, :read_pipeline, pipeline) + end + end + def ci_environments_status_on_merge_result? params[:environment_target] == 'merge_commit' end |