diff options
| author | Sean McGivern <sean@gitlab.com> | 2018-01-05 17:55:37 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-01-16 17:04:38 -0800 |
| commit | 3fc0564ae09a9edf87a71a8c85ff9bf8ad35121d (patch) | |
| tree | 85ac8103dc85140d6a5e2d13b5949dd7f37cdd81 /app/services | |
| parent | 954a44574fd7a0be232a194d503032e16b8f3094 (diff) | |
| download | gitlab-ce-3fc0564ae09a9edf87a71a8c85ff9bf8ad35121d.tar.gz | |
Merge branch '41567-projectfix' into 'security-10-3'
check project access on MR create
See merge request gitlab/gitlabhq!2273
(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
43e85f49 check project access on MR create
Diffstat (limited to 'app/services')
| -rw-r--r-- | app/services/merge_requests/create_service.rb | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb index 49cf534dc0d..634bf3bd690 100644 --- a/app/services/merge_requests/create_service.rb +++ b/app/services/merge_requests/create_service.rb @@ -1,15 +1,11 @@ module MergeRequests class CreateService < MergeRequests::BaseService def execute - # @project is used to determine whether the user can set the merge request's - # assignee, milestone and labels. Whether they can depends on their - # permissions on the target project. - source_project = @project - @project = Project.find(params[:target_project_id]) if params[:target_project_id] + set_projects! merge_request = MergeRequest.new merge_request.target_project = @project - merge_request.source_project = source_project + merge_request.source_project = @source_project merge_request.source_branch = params[:source_branch] merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch) @@ -58,5 +54,25 @@ module MergeRequests pipelines.order(id: :desc).first end + + def set_projects! + # @project is used to determine whether the user can set the merge request's + # assignee, milestone and labels. Whether they can depends on their + # permissions on the target project. + @source_project = @project + @project = Project.find(params[:target_project_id]) if params[:target_project_id] + + # make sure that source/target project ids are not in + # params so it can't be overridden later when updating attributes + # from params when applying quick actions + params.delete(:source_project_id) + params.delete(:target_project_id) + + unless can?(current_user, :read_project, @source_project) && + can?(current_user, :read_project, @project) + + raise Gitlab::Access::AccessDeniedError + end + end end end |