Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-03-30 02:49:18 +0300
commit: 38dadcee569adfbbb1c9dc99634bba4e9a9128bc (patch)
tree: 32661c6c5a8585196d1c84b7f4efcdc166cb8240 /app
parent: 05bbfffcd3692a70849628ff36ecb8eeac4902af (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/app/services/merge_requests/push_options_handler_service.rb b/app/services/merge_requests/push_options_handler_service.rb
index 235dc6678df..e9abafceb13 100644
--- a/app/services/merge_requests/push_options_handler_service.rb
+++ b/app/services/merge_requests/push_options_handler_service.rb
@@ -54,7 +54,15 @@ module MergeRequests
     end
 
     def validate_service
-      errors << 'User is required' if current_user.nil?
+      if current_user.nil?
+        errors << 'User is required'
+        return
+      end
+
+      unless current_user&.can?(:read_code, target_project)
+        errors << 'User access was denied'
+        return
+      end
 
       unless target_project.merge_requests_enabled?
         errors << "Merge requests are not enabled for project #{target_project.full_path}"
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-03-30 02:49:18 +0300
commit	38dadcee569adfbbb1c9dc99634bba4e9a9128bc (patch)
tree	32661c6c5a8585196d1c84b7f4efcdc166cb8240 /app
parent	05bbfffcd3692a70849628ff36ecb8eeac4902af (diff)