diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:37:10 +0300 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 21:37:10 +0300 |
commit | 6683298fe6d85bb0785906723663482798418907 (patch) | |
tree | fafecb6b03174e521879d21f81d8bf39120c51c5 /lib | |
parent | a43fd6acb697edc897e930dee7c636e4d714565e (diff) | |
parent | 325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff) |
Merge branch 'security-commit-private-related-mr' into 'master'
Don't allow non-members to see private related MRs
Closes #2787
See merge request gitlab/gitlabhq!2866
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/commits.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 8defc59224d..d0a9debda5b 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -318,10 +318,18 @@ module API use :pagination end get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do + authorize! :read_merge_request, user_project + commit = user_project.commit(params[:sha]) not_found! 'Commit' unless commit - present paginate(commit.merge_requests), with: Entities::MergeRequestBasic + commit_merge_requests = MergeRequestsFinder.new( + current_user, + project_id: user_project.id, + commit_sha: commit.sha + ).execute + + present paginate(commit_merge_requests), with: Entities::MergeRequestBasic end desc "Get a commit's GPG signature" do |