Check permissions on target project in merge request create service.

author: Douwe Maan <douwe@gitlab.com> 2015-08-21 09:47:39 -0700
committer: Douwe Maan <douwe@gitlab.com> 2015-08-21 09:47:39 -0700
commit: 414533ca48147120586f531f61f131dbef9d85fc (patch)
tree: fce1f631aa7ad5909a0684a35604f40341c8cd14
parent: 2de0935e276e45ac0090d32fd345593c2db92a5b (diff)
download: gitlab-ce-414533ca48147120586f531f61f131dbef9d85fc.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb
index f431c5d5534..9651b16462c 100644
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
@@ -1,11 +1,17 @@
 module MergeRequests
   class CreateService < MergeRequests::BaseService
     def execute
+      # @project is used to determine whether the user can set the merge request's
+      # assignee, milestone and labels. Whether they can depends on their 
+      # permissions on the target project.
+      source_project = @project
+      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
+
       filter_params
       label_params = params[:label_ids]
       merge_request = MergeRequest.new(params.except(:label_ids))
-      merge_request.source_project = project
-      merge_request.target_project ||= project
+      merge_request.source_project = source_project
+      merge_request.target_project ||= source_project
       merge_request.author = current_user
 
       if merge_request.save
author	Douwe Maan <douwe@gitlab.com>	2015-08-21 09:47:39 -0700
committer	Douwe Maan <douwe@gitlab.com>	2015-08-21 09:47:39 -0700
commit	414533ca48147120586f531f61f131dbef9d85fc (patch)
tree	fce1f631aa7ad5909a0684a35604f40341c8cd14
parent	2de0935e276e45ac0090d32fd345593c2db92a5b (diff)
download	gitlab-ce-414533ca48147120586f531f61f131dbef9d85fc.tar.gz