diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:21:05 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:21:05 +0300 |
commit | f29fb4759633fb9ca0a9ececd8b031f43a2ba05c (patch) | |
tree | 1e5ab018b28fe2847cab87992acd8203179b60c7 /app | |
parent | 366821469ead4548735d6ddd4832f024de6b4fc0 (diff) | |
parent | 912bd48c319d2bfa96a3522f096d8637cf850705 (diff) |
Merge branch 'security-commit-private-related-mr-11-8' into '11-8-stable'
Don't allow non-members to see private related MRs
See merge request gitlab/gitlabhq!2930
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/commit_controller.rb | 6 | ||||
-rw-r--r-- | app/finders/merge_requests_finder.rb | 9 |
2 files changed, 13 insertions, 2 deletions
diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb index b13c0ae3967..939a09d4fd2 100644 --- a/app/controllers/projects/commit_controller.rb +++ b/app/controllers/projects/commit_controller.rb @@ -65,7 +65,11 @@ class Projects::CommitController < Projects::ApplicationController # rubocop: enable CodeReuse/ActiveRecord def merge_requests - @merge_requests = @commit.merge_requests.map do |mr| + @merge_requests = MergeRequestsFinder.new( + current_user, + project_id: @project.id, + commit_sha: @commit.sha + ).execute.map do |mr| { iid: mr.iid, path: merge_request_path(mr), title: mr.title } end diff --git a/app/finders/merge_requests_finder.rb b/app/finders/merge_requests_finder.rb index b645011a3c5..93bee3f1488 100644 --- a/app/finders/merge_requests_finder.rb +++ b/app/finders/merge_requests_finder.rb @@ -37,13 +37,20 @@ class MergeRequestsFinder < IssuableFinder end def filter_items(_items) - items = by_source_branch(super) + items = by_commit(super) + items = by_source_branch(items) items = by_wip(items) by_target_branch(items) end private + def by_commit(items) + return items unless params[:commit_sha].presence + + items.by_commit_sha(params[:commit_sha]) + end + def source_branch @source_branch ||= params[:source_branch].presence end |