Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-30 00:34:10 +0300
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-30 00:34:10 +0300
commite20fb7cb395e9c6594a098eddd816079259f64d9 (patch)
treed111292dbd7348f0c87146444259593ebfe64f3f /app
parent4ed9802a40a992bfd5c8bf2c41499d54e44aff5a (diff)
parent1c7c91806d4b9866f512f50f36c9c74b48cb8229 (diff)
Merge branch 'security-mr-head-pipeline-leak' into 'master'
Permission fix for MergeRequestsController#pipeline_status See merge request gitlab/gitlabhq!3274
Diffstat (limited to 'app')
-rw-r--r--app/controllers/projects/merge_requests_controller.rb9
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb
index 10a9a1e8998..75d4a24b559 100644
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -189,7 +189,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
def pipeline_status
render json: PipelineSerializer
.new(project: @project, current_user: @current_user)
- .represent_status(@merge_request.head_pipeline)
+ .represent_status(head_pipeline)
end
def ci_environments_status
@@ -239,6 +239,13 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
private
+ def head_pipeline
+ strong_memoize(:head_pipeline) do
+ pipeline = @merge_request.head_pipeline
+ pipeline if can?(current_user, :read_pipeline, pipeline)
+ end
+ end
+
def ci_environments_status_on_merge_result?
params[:environment_target] == 'merge_commit'
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 15:11:54 +0300