diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:13:19 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-28 15:13:26 +0300 |
commit | c49ef67dc34ca5770ca16ce3df17786f82cfbcb2 (patch) | |
tree | a28b8cfc9e2e0425de24e654886e1ab3a28407fd /app | |
parent | f36b8d30e5026d0d4c76ca8103e53f241cf71d7c (diff) |
Add latest changes from gitlab-org/security/gitlab@16-1-stable-ee
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/import/github_controller.rb | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/app/controllers/import/github_controller.rb b/app/controllers/import/github_controller.rb index 41477519ba5..12210afd44a 100644 --- a/app/controllers/import/github_controller.rb +++ b/app/controllers/import/github_controller.rb @@ -7,6 +7,8 @@ class Import::GithubController < Import::BaseController include ActionView::Helpers::SanitizeHelper include Import::GithubOauth + before_action :authorize_owner_access!, except: [:new, :callback, :personal_access_token, :status, :details, :create, + :realtime_changes, :cancel_all, :counts] before_action :verify_import_enabled before_action :provider_auth, only: [:status, :realtime_changes, :create] before_action :expire_etag_cache, only: [:status, :create] @@ -92,8 +94,6 @@ class Import::GithubController < Import::BaseController end def failures - project = Project.imported_from(provider_name).find(params[:project_id]) - unless project.import_finished? return render status: :bad_request, json: { message: _('The import is not complete.') @@ -107,7 +107,6 @@ class Import::GithubController < Import::BaseController end def cancel - project = Project.imported_from(provider_name).find(params[:project_id]) result = Import::Github::CancelProjectImportService.new(project, current_user).execute if result[:status] == :success @@ -168,6 +167,14 @@ class Import::GithubController < Import::BaseController private + def project + @project ||= Project.imported_from(provider_name).find(params[:project_id]) + end + + def authorize_owner_access! + return render_404 unless current_user.can?(:owner_access, project) + end + def import_params params.permit(permitted_import_params) end |