From d00f14d73f41129f9d986d4bec32f1f927b525a6 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 4 Dec 2020 16:47:02 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

---
 app/services/feature_flags/update_service.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'app/services')

diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb
index ed5e2e794b4..d956d4b3357 100644
--- a/app/services/feature_flags/update_service.rb
+++ b/app/services/feature_flags/update_service.rb
@@ -10,6 +10,7 @@ module FeatureFlags
 
     def execute(feature_flag)
       return error('Access Denied', 403) unless can_update?(feature_flag)
+      return error('Not Found', 404) unless valid_user_list_ids?(feature_flag, user_list_ids(params))
 
       ActiveRecord::Base.transaction do
         feature_flag.assign_attributes(params)
@@ -87,5 +88,15 @@ module FeatureFlags
     def can_update?(feature_flag)
       Ability.allowed?(current_user, :update_feature_flag, feature_flag)
     end
+
+    def user_list_ids(params)
+      params.fetch(:strategies_attributes, [])
+        .select { |s| s[:user_list_id].present? }
+        .map { |s| s[:user_list_id] }
+    end
+
+    def valid_user_list_ids?(feature_flag, user_list_ids)
+      user_list_ids.empty? || ::Operations::FeatureFlags::UserList.belongs_to?(feature_flag.project_id, user_list_ids)
+    end
   end
 end
-- 
cgit v1.2.3