diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:19:39 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:19:39 +0300 |
commit | b510221f50557357cd127ae446fc5280d2cb8941 (patch) | |
tree | dc7e48b271aeba2bcef2af4e2d1cdfe1b90b4e60 /app | |
parent | 98e45db15475557b66b6d33087886bde007ea783 (diff) | |
parent | 1caed442ae6ad141aaa8149dfc45c812533be51a (diff) |
Merge branch 'security-add-public-internal-groups-as-members-to-your-project-idor-11-7' into '11-7-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2963
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/group_links_controller.rb | 5 | ||||
-rw-r--r-- | app/services/projects/group_links/create_service.rb | 10 |
2 files changed, 11 insertions, 4 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 7c713c19762..bc942ba9288 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -13,9 +13,10 @@ class Projects::GroupLinksController < Projects::ApplicationController group = Group.find(params[:link_group_id]) if params[:link_group_id].present? if group - return render_404 unless can?(current_user, :read_group, group) + result = Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + return render_404 if result[:http_status] == 404 - Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + flash[:alert] = result[:message] if result[:http_status] == 409 else flash[:alert] = 'Please select a group.' end diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb index 1392775f805..e3d5bea0852 100644 --- a/app/services/projects/group_links/create_service.rb +++ b/app/services/projects/group_links/create_service.rb @@ -4,13 +4,19 @@ module Projects module GroupLinks class CreateService < BaseService def execute(group) - return false unless group + return error('Not Found', 404) unless group && can?(current_user, :read_namespace, group) - project.project_group_links.create( + link = project.project_group_links.new( group: group, group_access: params[:link_group_access], expires_at: params[:expires_at] ) + + if link.save + success(link: link) + else + error(link.errors.full_messages.to_sentence, 409) + end end end end |