Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2016-04-26 00:10:18 +0300
committerRémy Coutable <remy@rymai.me>2016-04-26 13:00:10 +0300
commit7eda355e3aff0d66889d420441c40a63b6ee5482 (patch)
tree80ce481ec6935ed9d732125cfac16d371c55bde1 /app
parentf349d939c12636cac8a9d92fb551f6fb78af52a4 (diff)
Merge branch '15591-fix-project-leak-in-new-mr-view' into 'master'
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963 Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app')
-rw-r--r--app/services/merge_requests/build_service.rb3
1 files changed, 3 insertions, 0 deletions
diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb
index a9b29f9654d..572bddd7fd6 100644
--- a/app/services/merge_requests/build_service.rb
+++ b/app/services/merge_requests/build_service.rb
@@ -9,6 +9,9 @@ module MergeRequests
merge_request.compare_commits = []
merge_request.compare_diffs = []
merge_request.source_project = project unless merge_request.source_project
+
+ merge_request.target_project = nil unless can?(current_user, :read_project, merge_request.target_project)
+
merge_request.target_project ||= (project.forked_from_project || project)
merge_request.target_branch ||= merge_request.target_project.default_branch
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-15 11:54:52 +0300