Merge branch 'fix-api-mr-permissions' into 'security'

Ensure that only privileged users can access merge requests in the API See merge request !2053
author: Robert Speicher <robert@gitlab.com> 2017-01-03 21:03:13 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2017-01-23 21:54:35 +0300
commit: 3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree: 73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /lib/api/merge_request_diffs.rb
parent: d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/api/merge_request_diffs.rb b/lib/api/merge_request_diffs.rb
index 07435d78468..bc3d69f6904 100644
--- a/lib/api/merge_request_diffs.rb
+++ b/lib/api/merge_request_diffs.rb
@@ -15,10 +15,8 @@ module API
       end
 
       get ":id/merge_requests/:merge_request_id/versions" do
-        merge_request = user_project.merge_requests.
-          find(params[:merge_request_id])
+        merge_request = find_merge_request_with_access(params[:merge_request_id])
 
-        authorize! :read_merge_request, merge_request
         present merge_request.merge_request_diffs, with: Entities::MergeRequestDiff
       end
 
@@ -34,10 +32,8 @@ module API
       end
 
       get ":id/merge_requests/:merge_request_id/versions/:version_id" do
-        merge_request = user_project.merge_requests.
-          find(params[:merge_request_id])
+        merge_request = find_merge_request_with_access(params[:merge_request_id])
 
-        authorize! :read_merge_request, merge_request
         present merge_request.merge_request_diffs.find(params[:version_id]), with: Entities::MergeRequestDiffFull
       end
     end
author	Robert Speicher <robert@gitlab.com>	2017-01-03 21:03:13 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2017-01-23 21:54:35 +0300
commit	3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree	73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /lib/api/merge_request_diffs.rb
parent	d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)