diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-03-05 00:20:50 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-03-05 00:20:50 +0000 |
commit | 5a07032d265b97bfbbfe9e8bfd8079a6470b10e6 (patch) | |
tree | faa1d1a1ce5a1165330ca6229fd4c85171891500 | |
parent | a697b015f7c44befb2e51e66828ee2adc62868e1 (diff) | |
parent | 21a05328ffd5cb9130ae516faa7dd672cacba90c (diff) | |
download | gitlab-ce-5a07032d265b97bfbbfe9e8bfd8079a6470b10e6.tar.gz |
Merge branch 'security_bug_fix_close_issue' into 'master'
[Security] Automatic issue closing
Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2640
See merge request !1944
-rw-r--r-- | app/services/git_push_service.rb | 4 | ||||
-rw-r--r-- | app/services/merge_requests/post_merge_service.rb | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/app/services/git_push_service.rb b/app/services/git_push_service.rb index 9ba200f7bde..b50a7a4217c 100644 --- a/app/services/git_push_service.rb +++ b/app/services/git_push_service.rb @@ -96,7 +96,9 @@ class GitPushService < BaseService # a different branch. closed_issues = commit.closes_issues(current_user) closed_issues.each do |issue| - Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit) + if can?(current_user, :update_issue, issue) + Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit) + end end end diff --git a/app/services/merge_requests/post_merge_service.rb b/app/services/merge_requests/post_merge_service.rb index 8f25c5e2496..ebb67c7db65 100644 --- a/app/services/merge_requests/post_merge_service.rb +++ b/app/services/merge_requests/post_merge_service.rb @@ -21,7 +21,9 @@ module MergeRequests closed_issues = merge_request.closes_issues(current_user) closed_issues.each do |issue| - Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request) + if can?(current_user, :update_issue, issue) + Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request) + end end end |