From 9820da44788bde97700693565fd43f1d5054c007 Mon Sep 17 00:00:00 2001
From: Alessio Caiazza <acaiazza@gitlab.com>
Date: Fri, 8 Feb 2019 16:11:37 +0000
Subject: Prevent Releases links API to leak tag existance

---
 lib/api/release/links.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lib/api')

diff --git a/lib/api/release/links.rb b/lib/api/release/links.rb
index e3072684ef7..5d1b40e3bff 100644
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
@@ -8,6 +8,8 @@ module API
       RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS
         .merge(tag_name: API::NO_SLASH_URL_PART_REGEX)
 
+      before { authorize! :read_release, user_project }
+
       params do
         requires :id, type: String, desc: 'The ID of a project'
       end
-- 
cgit v1.2.3