Merge branch 'fix-api-mr-permissions' into 'security'

Ensure that only privileged users can access merge requests in the API See merge request !2053
author: Robert Speicher <robert@gitlab.com> 2017-01-03 18:03:13 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2017-01-23 13:54:35 -0500
commit: 3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree: 73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /lib/api/todos.rb
parent: d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)
download: gitlab-ce-3a5df1d8fc518900d8e33a6be8a2243e399c754a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/todos.rb b/lib/api/todos.rb
index ed8f48aa1e3..9bd077263a7 100644
--- a/lib/api/todos.rb
+++ b/lib/api/todos.rb
@@ -5,7 +5,7 @@ module API
     before { authenticate! }
 
     ISSUABLE_TYPES = {
-      'merge_requests' => ->(id) { user_project.merge_requests.find(id) },
+      'merge_requests' => ->(id) { find_merge_request_with_access(id) },
       'issues' => ->(id) { find_project_issue(id) }
     }
author	Robert Speicher <robert@gitlab.com>	2017-01-03 18:03:13 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2017-01-23 13:54:35 -0500
commit	3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch)
tree	73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /lib/api/todos.rb
parent	d7755ede246988e3186a46b2c9fbd1b70660b529 (diff)
download	gitlab-ce-3a5df1d8fc518900d8e33a6be8a2243e399c754a.tar.gz