diff options
| author | Robert Speicher <robert@gitlab.com> | 2018-01-18 23:10:19 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2018-02-09 12:16:25 -0600 |
| commit | fec9fb05a5775b864ef6768df166d39fcb2be4bc (patch) | |
| tree | 9274b1aba3720ae0204be7294000bb8f22b77a48 /lib/api/todos.rb | |
| parent | 603fa7c14193d37e3953225501d2108f0c581df5 (diff) | |
| download | gitlab-ce-fec9fb05a5775b864ef6768df166d39fcb2be4bc.tar.gz | |
Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
Restrict Todo API mark_as_done endpoint to the user's todos only
Diffstat (limited to 'lib/api/todos.rb')
| -rw-r--r-- | lib/api/todos.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/todos.rb b/lib/api/todos.rb index ffccfebe752..c6dbcf84e3a 100644 --- a/lib/api/todos.rb +++ b/lib/api/todos.rb @@ -60,7 +60,7 @@ module API end post ':id/mark_as_done' do TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user) - todo = Todo.find(params[:id]) + todo = current_user.todos.find(params[:id]) present todo, with: Entities::Todo, current_user: current_user end |