Check permissions when importing project members

Closes #14899
author: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-04-05 13:29:48 +0200
committer: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-04-05 13:32:28 +0200
commit: b248ee93814e8521fa0c73c82ec9ed113698b945 (patch)
tree: 2ff67b4755e09c47f737f0c0ec2fec976ed854fe /app/controllers
parent: 8a0a802ee960a21145995661c3751bbe8cde9e5c (diff)
download: gitlab-ce-b248ee93814e8521fa0c73c82ec9ed113698b945.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index e7bddc4a6f1..cd984f03c6b 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -95,8 +95,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
 
   def apply_import
     giver = Project.find(params[:source_project_id])
-    status = @project.team.import(giver, current_user)
-    notice = status ? "Successfully imported" : "Import failed"
+
+    if current_user.can?(:read_project_member, giver)
+      status = @project.team.import(giver, current_user)
+      notice = status ? "Successfully imported" : "Import failed"
+    else
+      notice = 'You are not authorized to import members from this project'
+    end
 
     redirect_to(namespace_project_project_members_path(project.namespace, project),
                 notice: notice)
author	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-04-05 13:29:48 +0200
committer	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-04-05 13:32:28 +0200
commit	b248ee93814e8521fa0c73c82ec9ed113698b945 (patch)
tree	2ff67b4755e09c47f737f0c0ec2fec976ed854fe /app/controllers
parent	8a0a802ee960a21145995661c3751bbe8cde9e5c (diff)
download	gitlab-ce-b248ee93814e8521fa0c73c82ec9ed113698b945.tar.gz