diff options
author | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-09-25 19:25:40 +0300 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2019-10-24 13:19:56 +0300 |
commit | 20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (patch) | |
tree | 9a6c1fc7836513723d2948ec1cd53dc268b25bf7 /changelogs | |
parent | dc0622dbe3cd552abca4107557c6c09edb23625c (diff) |
Only assign merge params when allowed
When a user updates a merge request coming from a fork, they should
not be able to set `force_remove_source_branch` if they cannot push
code to the source project.
Otherwise developers of the target project could remove the source
branch of the source project by setting this flag through the API.
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml b/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml new file mode 100644 index 00000000000..50dc9c32c5d --- /dev/null +++ b/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml @@ -0,0 +1,6 @@ +--- +title: Don't allow maintainers of a target project to delete the source branch of + a merge request from a fork +merge_request: +author: +type: security |