Merge branch 'security-commit-private-related-mr-11-8' into '11-8-stable'

Don't allow non-members to see private related MRs See merge request gitlab/gitlabhq!2930
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-27 17:21:05 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-27 17:21:05 +0300
commit: f29fb4759633fb9ca0a9ececd8b031f43a2ba05c (patch)
tree: 1e5ab018b28fe2847cab87992acd8203179b60c7 /lib/api
parent: 366821469ead4548735d6ddd4832f024de6b4fc0 (diff)
parent: 912bd48c319d2bfa96a3522f096d8637cf850705 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 9d23daafe95..be682982897 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -318,10 +318,18 @@ module API
         use :pagination
       end
       get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
+        authorize! :read_merge_request, user_project
+
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
 
-        present paginate(commit.merge_requests), with: Entities::MergeRequestBasic
+        commit_merge_requests = MergeRequestsFinder.new(
+          current_user,
+          project_id: user_project.id,
+          commit_sha: commit.sha
+        ).execute
+
+        present paginate(commit_merge_requests), with: Entities::MergeRequestBasic
       end
     end
   end
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-27 17:21:05 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-27 17:21:05 +0300
commit	f29fb4759633fb9ca0a9ececd8b031f43a2ba05c (patch)
tree	1e5ab018b28fe2847cab87992acd8203179b60c7 /lib/api
parent	366821469ead4548735d6ddd4832f024de6b4fc0 (diff)
parent	912bd48c319d2bfa96a3522f096d8637cf850705 (diff)