diff options
| author | gitlabhq <m@gitlabhq.com> | 2011-10-17 13:39:03 +0300 |
|---|---|---|
| committer | gitlabhq <m@gitlabhq.com> | 2011-10-17 13:39:03 +0300 |
| commit | 783ca8979652085e2708cf3e020f3f83349dedb2 (patch) | |
| tree | 2753b16c8ea021b95489ded0a92c54158cef8545 /app/controllers/notes_controller.rb | |
| parent | b08e4074b49acdb00dc9e041dab65a11462a090c (diff) | |
| download | gitlab-ce-783ca8979652085e2708cf3e020f3f83349dedb2.tar.gz | |
security improved
Diffstat (limited to 'app/controllers/notes_controller.rb')
| -rw-r--r-- | app/controllers/notes_controller.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index 1703c00d5e5..46425664d6e 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -4,7 +4,6 @@ class NotesController < ApplicationController # Authorize before_filter :add_project_abilities before_filter :authorize_write_note!, :only => [:create] - before_filter :authorize_admin_note!, :only => [:destroy] respond_to :js @@ -25,6 +24,9 @@ class NotesController < ApplicationController def destroy @note = @project.notes.find(params[:id]) + + return access_denied! unless can?(current_user, :admin_note, @note) + @note.destroy respond_to do |format| |