diff options
author | Patrick Bajao <ebajao@gitlab.com> | 2019-01-25 10:44:50 +0300 |
---|---|---|
committer | Patrick Bajao <ebajao@gitlab.com> | 2019-02-15 09:26:45 +0300 |
commit | e191ef81ccf3f9693e7fd365b1d009a37a7bc809 (patch) | |
tree | 7e6f31af2ba9bef4e6d1a3635c21ceed689b619f /lib/api | |
parent | c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff) |
Don't allow non-members to see private related MRs
Diffstat (limited to 'lib/api')
-rw-r--r-- | lib/api/commits.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 9d23daafe95..be682982897 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -318,10 +318,18 @@ module API use :pagination end get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do + authorize! :read_merge_request, user_project + commit = user_project.commit(params[:sha]) not_found! 'Commit' unless commit - present paginate(commit.merge_requests), with: Entities::MergeRequestBasic + commit_merge_requests = MergeRequestsFinder.new( + current_user, + project_id: user_project.id, + commit_sha: commit.sha + ).execute + + present paginate(commit_merge_requests), with: Entities::MergeRequestBasic end end end |