Merge branch 'security_bug_fix_close_issue' into 'master'

[Security] Automatic issue closing

Fixes https://dev.gitlab.org/gitlab/gitlabhq/issues/2640

See merge request !1944

2 files changed, 6 insertions, 2 deletions

diff --git a/app/services/git_push_service.rb b/app/services/git_push_service.rb
index 9ba200f7bde..b50a7a4217c 100644
--- a/app/services/git_push_service.rb
+++ b/app/services/git_push_service.rb
@@ -96,7 +96,9 @@ class GitPushService < BaseService
         # a different branch.
         closed_issues = commit.closes_issues(current_user)
         closed_issues.each do |issue|
-          Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit)
+          if can?(current_user, :update_issue, issue)
+            Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit)
+          end
         end
       end
 
diff --git a/app/services/merge_requests/post_merge_service.rb b/app/services/merge_requests/post_merge_service.rb
index 8f25c5e2496..ebb67c7db65 100644
--- a/app/services/merge_requests/post_merge_service.rb
+++ b/app/services/merge_requests/post_merge_service.rb
@@ -21,7 +21,9 @@ module MergeRequests
 
       closed_issues = merge_request.closes_issues(current_user)
       closed_issues.each do |issue|
-        Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request)
+        if can?(current_user, :update_issue, issue)
+          Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request)
+        end
       end
     end