From 51f506cacddcac58edfd832bf8beead3135a11b1 Mon Sep 17 00:00:00 2001
From: drew cimino <dcimino@gitlab.com>
Date: Fri, 28 Jun 2019 10:40:34 -0400
Subject: Use MergeRequest#source_project as permissions reference for
 MergeRequest#all_pipelines

MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
---
 changelogs/unreleased/security-mr-pipeline-permissions.yml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 changelogs/unreleased/security-mr-pipeline-permissions.yml

(limited to 'changelogs')

diff --git a/changelogs/unreleased/security-mr-pipeline-permissions.yml b/changelogs/unreleased/security-mr-pipeline-permissions.yml
new file mode 100644
index 00000000000..a317c93228c
--- /dev/null
+++ b/changelogs/unreleased/security-mr-pipeline-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Use source project as permissions reference for MergeRequestsController#pipelines
+merge_request:
+author:
+type: security
-- 
cgit v1.2.3