From 5862fd138399f8ad1f0e042f09cca51e4ef781a5 Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Mon, 12 Jun 2017 17:19:39 +0100 Subject: Always check read_issue permissions when loading issue We never want to skip the check, so that some actions did so was a mistake. --- app/controllers/projects/issues_controller.rb | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index 8b1efd0c572..b53a79c859e 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -10,11 +10,7 @@ class Projects::IssuesController < Projects::ApplicationController before_action :redirect_to_external_issue_tracker, only: [:index, :new] before_action :module_enabled - before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests, - :related_branches, :can_create_branch, :realtime_changes, :create_merge_request] - - # Allow read any issue - before_action :authorize_read_issue!, only: [:show, :realtime_changes] + before_action :issue, except: [:index, :new, :create, :bulk_update] # Allow write(create) issue before_action :authorize_create_issue!, only: [:new, :create] @@ -229,18 +225,19 @@ class Projects::IssuesController < Projects::ApplicationController protected def issue + return @issue if defined?(@issue) # The Sortable default scope causes performance issues when used with find_by @noteable = @issue ||= @project.issues.where(iid: params[:id]).reorder(nil).take! + + return render_404 unless can?(current_user, :read_issue, @issue) + + @issue end alias_method :subscribable_resource, :issue alias_method :issuable, :issue alias_method :awardable, :issue alias_method :spammable, :issue - def authorize_read_issue! - return render_404 unless can?(current_user, :read_issue, @issue) - end - def authorize_update_issue! return render_404 unless can?(current_user, :update_issue, @issue) end -- cgit v1.2.3