Abilities extended. Resources security improved

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2012-02-22 00:31:18 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2012-02-22 00:31:18 +0200
commit: 8c40aab120dbc5507ab9cc8d7ad8e2519d6e9f25 (patch)
tree: 2b736fef4b5437bb201c0dbc038950ac2e184a0a /app/controllers/issues_controller.rb
parent: af82b6773b9b81cdac83afb702565207c00bad87 (diff)
download: gitlab-ce-8c40aab120dbc5507ab9cc8d7ad8e2519d6e9f25.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index ed1a5864f23..36c9c8f6c51 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -126,12 +126,11 @@ class IssuesController < ApplicationController
   end
 
   def authorize_modify_issue!
-    can?(current_user, :modify_issue, @issue) || 
-      @issue.assignee == current_user
+    return render_404 unless can?(current_user, :modify_issue, @issue)
   end
 
   def authorize_admin_issue!
-    can?(current_user, :admin_issue, @issue)
+    return render_404 unless can?(current_user, :admin_issue, @issue)
   end
 
   def module_enabled
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2012-02-22 00:31:18 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2012-02-22 00:31:18 +0200
commit	8c40aab120dbc5507ab9cc8d7ad8e2519d6e9f25 (patch)
tree	2b736fef4b5437bb201c0dbc038950ac2e184a0a /app/controllers/issues_controller.rb
parent	af82b6773b9b81cdac83afb702565207c00bad87 (diff)
download	gitlab-ce-8c40aab120dbc5507ab9cc8d7ad8e2519d6e9f25.tar.gz