API: MergeRequest: authorization

1 files changed, 11 insertions, 1 deletions

diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb
index f1d8d6a9b55..14d9d92ae08 100644
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@@ -6,12 +6,18 @@ module Gitlab
     resource :projects do
       #list
       get ":id/merge_requests" do
+        authorize! :read_merge_request, user_project
+        
         present user_project.merge_requests, with: Entities::MergeRequest
       end
       
       #show
       get ":id/merge_request/:merge_request_id" do
-        present user_project.merge_requests.find(params[:merge_request_id]), with: Entities::MergeRequest
+        merge_request = user_project.merge_requests.find(params[:merge_request_id])
+        
+        authorize! :read_merge_request, merge_request
+        
+        present merge_request, with: Entities::MergeRequest
       end
 
       #create merge_request
@@ -20,6 +26,8 @@ module Gitlab
         merge_request = user_project.merge_requests.new(attrs)
         merge_request.author = current_user
         
+        authorize! :write_merge_request, merge_request
+        
         if merge_request.save
           merge_request.reload_code
           present merge_request, with: Entities::MergeRequest
@@ -33,6 +41,8 @@ module Gitlab
         attrs = attributes_for_keys [:source_branch, :target_branch, :assignee_id, :title, :closed]
         merge_request = user_project.merge_requests.find(params[:merge_request_id])
         
+        authorize! :modify_merge_request, merge_request
+        
         if merge_request.update_attributes attrs
           merge_request.reload_code
           merge_request.mark_as_unchecked