Don't allow non-members to see private related MRs

author: Patrick Bajao <ebajao@gitlab.com> 2019-01-25 10:44:50 +0300
committer: Patrick Bajao <ebajao@gitlab.com> 2019-02-15 09:22:34 +0300
commit: 912bd48c319d2bfa96a3522f096d8637cf850705 (patch)
tree: 4020c139a21b16a7c27195265773bc5570e61b08 /lib
parent: 22e1c70f2b5ba2d188725719c5c7196586ad30ce (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 9d23daafe95..be682982897 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -318,10 +318,18 @@ module API
         use :pagination
       end
       get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
+        authorize! :read_merge_request, user_project
+
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
 
-        present paginate(commit.merge_requests), with: Entities::MergeRequestBasic
+        commit_merge_requests = MergeRequestsFinder.new(
+          current_user,
+          project_id: user_project.id,
+          commit_sha: commit.sha
+        ).execute
+
+        present paginate(commit_merge_requests), with: Entities::MergeRequestBasic
       end
     end
   end
author	Patrick Bajao <ebajao@gitlab.com>	2019-01-25 10:44:50 +0300
committer	Patrick Bajao <ebajao@gitlab.com>	2019-02-15 09:22:34 +0300
commit	912bd48c319d2bfa96a3522f096d8637cf850705 (patch)
tree	4020c139a21b16a7c27195265773bc5570e61b08 /lib
parent	22e1c70f2b5ba2d188725719c5c7196586ad30ce (diff)