From 783ca8979652085e2708cf3e020f3f83349dedb2 Mon Sep 17 00:00:00 2001
From: gitlabhq <m@gitlabhq.com>
Date: Mon, 17 Oct 2011 13:39:03 +0300
Subject: security improved

---
 app/controllers/notes_controller.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'app/controllers/notes_controller.rb')

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 1703c00d5e5..46425664d6e 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -4,7 +4,6 @@ class NotesController < ApplicationController
   # Authorize
   before_filter :add_project_abilities
   before_filter :authorize_write_note!, :only => [:create] 
-  before_filter :authorize_admin_note!, :only => [:destroy] 
 
   respond_to :js
 
@@ -25,6 +24,9 @@ class NotesController < ApplicationController
 
   def destroy
     @note = @project.notes.find(params[:id])
+
+    return access_denied! unless can?(current_user, :admin_note, @note)
+
     @note.destroy
 
     respond_to do |format|
-- 
cgit v1.2.1