Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-02-27 17:19:39 +0300
committerYorick Peterse <yorickpeterse@gmail.com>2019-02-27 17:19:39 +0300
commitb510221f50557357cd127ae446fc5280d2cb8941 (patch)
treedc7e48b271aeba2bcef2af4e2d1cdfe1b90b4e60 /app
parent98e45db15475557b66b6d33087886bde007ea783 (diff)
parent1caed442ae6ad141aaa8149dfc45c812533be51a (diff)
Merge branch 'security-add-public-internal-groups-as-members-to-your-project-idor-11-7' into '11-7-stable'
Add public/internal groups as members to your Project(IDOR) See merge request gitlab/gitlabhq!2963
Diffstat (limited to 'app')
-rw-r--r--app/controllers/projects/group_links_controller.rb5
-rw-r--r--app/services/projects/group_links/create_service.rb10
2 files changed, 11 insertions, 4 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 7c713c19762..bc942ba9288 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -13,9 +13,10 @@ class Projects::GroupLinksController < Projects::ApplicationController
group = Group.find(params[:link_group_id]) if params[:link_group_id].present?
if group
- return render_404 unless can?(current_user, :read_group, group)
+ result = Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group)
+ return render_404 if result[:http_status] == 404
- Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group)
+ flash[:alert] = result[:message] if result[:http_status] == 409
else
flash[:alert] = 'Please select a group.'
end
diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb
index 1392775f805..e3d5bea0852 100644
--- a/app/services/projects/group_links/create_service.rb
+++ b/app/services/projects/group_links/create_service.rb
@@ -4,13 +4,19 @@ module Projects
module GroupLinks
class CreateService < BaseService
def execute(group)
- return false unless group
+ return error('Not Found', 404) unless group && can?(current_user, :read_namespace, group)
- project.project_group_links.create(
+ link = project.project_group_links.new(
group: group,
group_access: params[:link_group_access],
expires_at: params[:expires_at]
)
+
+ if link.save
+ success(link: link)
+ else
+ error(link.errors.full_messages.to_sentence, 409)
+ end
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 15:20:54 +0300