diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2019-09-17 15:38:09 +0300 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2019-09-24 17:22:17 +0300 |
commit | bc22ef7b6e472eac085498e5ab82239e53498912 (patch) | |
tree | d40bb93ab01b7f093b1ecbe7f2180e80c2915ac1 /lib | |
parent | 3440d0f6100fc25e052e19801361aa99636d82c1 (diff) |
Filter not accessible label events
Label events may use cross-project or cross-group references,
if the projects are not accessible by user, we don't show these
label events.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/resource_label_events.rb | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/api/resource_label_events.rb b/lib/api/resource_label_events.rb index 505a6c68c9c..062115c5103 100644 --- a/lib/api/resource_label_events.rb +++ b/lib/api/resource_label_events.rb @@ -24,14 +24,14 @@ module API use :pagination end - # rubocop: disable CodeReuse/ActiveRecord get ":id/#{eventables_str}/:eventable_id/resource_label_events" do eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id]) - events = eventable.resource_label_events.includes(:label, :user) + + opts = { page: params[:page], per_page: params[:per_page] } + events = ResourceLabelEventFinder.new(current_user, eventable, opts).execute present paginate(events), with: Entities::ResourceLabelEvent end - # rubocop: enable CodeReuse/ActiveRecord desc "Get a single #{eventable_type.to_s.downcase} resource label event" do success Entities::ResourceLabelEvent @@ -45,6 +45,8 @@ module API eventable = find_noteable(parent_type, params[:id], eventable_type, params[:eventable_id]) event = eventable.resource_label_events.find(params[:event_id]) + not_found!('ResourceLabelEvent') unless can?(current_user, :read_resource_label_event, event) + present event, with: Entities::ResourceLabelEvent end end |