Filter confidential issues from milestones API if user does not have access

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
author: Stan Hu <stanhu@gmail.com> 2016-04-24 20:07:59 -0700
committer: Rémy Coutable <remy@rymai.me> 2016-04-25 12:20:29 +0200
commit: 03ae2cdbff49d4f72d32529963a2173c7308da40 (patch)
tree: 3a591e20cd6ec2617bf0462d328298a6173073a8 /lib/api/milestones.rb
parent: 793a7664633385d3e610f6e3ec909067db60f882 (diff)
download: gitlab-ce-03ae2cdbff49d4f72d32529963a2173c7308da40.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb
index 84b4d4cdd6d..132043cf3f7 100644
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -105,7 +105,15 @@ module API
         authorize! :read_milestone, user_project
 
         @milestone = user_project.milestones.find(params[:milestone_id])
-        present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user
+
+        finder_params = {
+          project_id: user_project.id,
+          milestone_title: @milestone.title,
+          state: 'all'
+        }
+
+        issues = IssuesFinder.new(current_user, finder_params).execute
+        present paginate(issues), with: Entities::Issue, current_user: current_user
       end
 
     end
author	Stan Hu <stanhu@gmail.com>	2016-04-24 20:07:59 -0700
committer	Rémy Coutable <remy@rymai.me>	2016-04-25 12:20:29 +0200
commit	03ae2cdbff49d4f72d32529963a2173c7308da40 (patch)
tree	3a591e20cd6ec2617bf0462d328298a6173073a8 /lib/api/milestones.rb
parent	793a7664633385d3e610f6e3ec909067db60f882 (diff)
download	gitlab-ce-03ae2cdbff49d4f72d32529963a2173c7308da40.tar.gz