diff options
author | Sean McGivern <sean@gitlab.com> | 2017-06-12 17:19:39 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2017-06-13 10:41:00 +0100 |
commit | 5862fd138399f8ad1f0e042f09cca51e4ef781a5 (patch) | |
tree | d6ddda8657a097dc85c2397f35be1b2957e6f310 | |
parent | de23d651e0a6b31b21c416c073ddf9e8ff97ade5 (diff) | |
download | gitlab-ce-tidy-up-issues-controller-filters.tar.gz |
Always check read_issue permissions when loading issuetidy-up-issues-controller-filters
We never want to skip the check, so that some actions did so was a mistake.
-rw-r--r-- | app/controllers/projects/issues_controller.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index 8b1efd0c572..b53a79c859e 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -10,11 +10,7 @@ class Projects::IssuesController < Projects::ApplicationController before_action :redirect_to_external_issue_tracker, only: [:index, :new] before_action :module_enabled - before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests, - :related_branches, :can_create_branch, :realtime_changes, :create_merge_request] - - # Allow read any issue - before_action :authorize_read_issue!, only: [:show, :realtime_changes] + before_action :issue, except: [:index, :new, :create, :bulk_update] # Allow write(create) issue before_action :authorize_create_issue!, only: [:new, :create] @@ -229,18 +225,19 @@ class Projects::IssuesController < Projects::ApplicationController protected def issue + return @issue if defined?(@issue) # The Sortable default scope causes performance issues when used with find_by @noteable = @issue ||= @project.issues.where(iid: params[:id]).reorder(nil).take! + + return render_404 unless can?(current_user, :read_issue, @issue) + + @issue end alias_method :subscribable_resource, :issue alias_method :issuable, :issue alias_method :awardable, :issue alias_method :spammable, :issue - def authorize_read_issue! - return render_404 unless can?(current_user, :read_issue, @issue) - end - def authorize_update_issue! return render_404 unless can?(current_user, :update_issue, @issue) end |