diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:21:05 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 17:21:05 +0300 |
commit | f29fb4759633fb9ca0a9ececd8b031f43a2ba05c (patch) | |
tree | 1e5ab018b28fe2847cab87992acd8203179b60c7 /lib/api | |
parent | 366821469ead4548735d6ddd4832f024de6b4fc0 (diff) | |
parent | 912bd48c319d2bfa96a3522f096d8637cf850705 (diff) |
Merge branch 'security-commit-private-related-mr-11-8' into '11-8-stable'
Don't allow non-members to see private related MRs
See merge request gitlab/gitlabhq!2930
Diffstat (limited to 'lib/api')
-rw-r--r-- | lib/api/commits.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 9d23daafe95..be682982897 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -318,10 +318,18 @@ module API use :pagination end get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do + authorize! :read_merge_request, user_project + commit = user_project.commit(params[:sha]) not_found! 'Commit' unless commit - present paginate(commit.merge_requests), with: Entities::MergeRequestBasic + commit_merge_requests = MergeRequestsFinder.new( + current_user, + project_id: user_project.id, + commit_sha: commit.sha + ).execute + + present paginate(commit_merge_requests), with: Entities::MergeRequestBasic end end end |