diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:28 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 15:01:28 +0300 |
| commit | b72162e7b64c17379932db4904314aab8f9dd086 (patch) | |
| tree | 446ce3b753b1aca31a45d598ac6577faa3dd955e /lib | |
| parent | 52444f1043ca345790bc765162caba0a633328a9 (diff) | |
| parent | b49d06e415a247b80cc3edd11f137c025163a31a (diff) | |
Merge branch 'security-28802-respect-fork-parent-visibility-12-4' into '12-4-stable'
Check permissions before showing a forked project's source
See merge request gitlab/gitlabhq!3556
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/entities.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 91811efacd7..dde0f291bb3 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -283,7 +283,9 @@ module API expose :shared_runners_enabled expose :lfs_enabled?, as: :lfs_enabled expose :creator_id - expose :forked_from_project, using: Entities::BasicProjectDetails, if: lambda { |project, options| project.forked? } + expose :forked_from_project, using: Entities::BasicProjectDetails, if: ->(project, options) do + project.forked? && Ability.allowed?(options[:current_user], :read_project, project.forked_from_project) + end expose :import_status expose :import_error, if: lambda { |_project, options| options[:user_can_admin_project] } do |project| |