diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:43:01 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-26 10:43:01 +0300 |
commit | 71636fed6e048b41cc595871bea412d6e75c56ea (patch) | |
tree | 39f54a2b617026c04b62a325a975e7954c8431f5 /app | |
parent | ffb237a45b3232d0deebcbfbbc5daf3515038dfd (diff) | |
parent | 0b0ee2bc9df042ba7a7d4dc9135c45170ca65c93 (diff) |
Merge branch 'security-mr-head-pipeline-leak-12-1' into '12-1-stable'
Permission fix for MergeRequestsController#pipeline_status
See merge request gitlab/gitlabhq!3278
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index c9a1f28f87e..a2e6f878f90 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -189,7 +189,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo def pipeline_status render json: PipelineSerializer .new(project: @project, current_user: @current_user) - .represent_status(@merge_request.head_pipeline) + .represent_status(head_pipeline) end def ci_environments_status @@ -239,6 +239,13 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo private + def head_pipeline + strong_memoize(:head_pipeline) do + pipeline = @merge_request.head_pipeline + pipeline if can?(current_user, :read_pipeline, pipeline) + end + end + def ci_environments_status_on_merge_result? params[:environment_target] == 'merge_commit' end |