delta/gitlab/gitlab-ce.git - gitlab.com: gitlab-org/gitlab-ce.git

diff options

author	Luke Duncalfe <lduncalfe@eml.cc>	2019-05-23 16:33:11 +1200
committer	Luke Duncalfe <lduncalfe@eml.cc>	2019-06-13 15:35:04 +1200
commit	5351ebf83b4769bdd876aed0898b4202ebff6e91 (patch)
tree	6fccffc0797786d780dc009b8712874ad624eb34 /.gitlab-ci.yml
parent	3c240b7aea7fee1c4267d0ceb717ba0234e5e788 (diff)
download	gitlab-ce-5351ebf83b4769bdd876aed0898b4202ebff6e91.tar.gz

Authorize access before serving project template

Previously, if a user was a guest member of a private project, they could access the merge request template as we were not checking permission-levels of the user. When a issue template is asked for, the user must have :read_issue for the project; or :read_merge_request when a merge request template is asked for. We also now rescue_from FileNotFoundError and handle as 404. This is because RepoTemplateFinder can raise a FileNotFoundError exception, which Rails previously handled as a 500. Handling these in a way that is consistent with ActiveRecord::RecordNotFound exceptions, within controllers that inherit from Projects::ApplicationController at least, and returning a 404. https://gitlab.com/gitlab-org/gitlab-ce/issues/54943

Diffstat (limited to '.gitlab-ci.yml')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: