diff options
author | Patrick Bajao <ebajao@gitlab.com> | 2019-01-25 10:44:50 +0300 |
---|---|---|
committer | Patrick Bajao <ebajao@gitlab.com> | 2019-02-15 09:22:34 +0300 |
commit | 912bd48c319d2bfa96a3522f096d8637cf850705 (patch) | |
tree | 4020c139a21b16a7c27195265773bc5570e61b08 /lib | |
parent | 22e1c70f2b5ba2d188725719c5c7196586ad30ce (diff) |
Don't allow non-members to see private related MRs
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/commits.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 9d23daafe95..be682982897 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -318,10 +318,18 @@ module API use :pagination end get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do + authorize! :read_merge_request, user_project + commit = user_project.commit(params[:sha]) not_found! 'Commit' unless commit - present paginate(commit.merge_requests), with: Entities::MergeRequestBasic + commit_merge_requests = MergeRequestsFinder.new( + current_user, + project_id: user_project.id, + commit_sha: commit.sha + ).execute + + present paginate(commit_merge_requests), with: Entities::MergeRequestBasic end end end |