diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-06-13 13:46:00 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2017-06-13 13:46:00 +0000 |
commit | 4124a1fba173622c0fa04dc50750ec7f542244bf (patch) | |
tree | a91c3a0eb3e788b313491762d67e6d285e9bcf71 | |
parent | 9cc126ea3fef95c71f1de98848b757aeae337193 (diff) | |
parent | 5862fd138399f8ad1f0e042f09cca51e4ef781a5 (diff) | |
download | gitlab-ce-4124a1fba173622c0fa04dc50750ec7f542244bf.tar.gz |
Merge branch 'tidy-up-issues-controller-filters' into 'master'
Always check read_issue permissions when loading issue
See merge request !12095
-rw-r--r-- | app/controllers/projects/issues_controller.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index ebb163bf9dc..56f76e752d0 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -10,11 +10,7 @@ class Projects::IssuesController < Projects::ApplicationController before_action :redirect_to_external_issue_tracker, only: [:index, :new] before_action :module_enabled - before_action :issue, only: [:edit, :update, :show, :referenced_merge_requests, - :related_branches, :can_create_branch, :realtime_changes, :create_merge_request] - - # Allow read any issue - before_action :authorize_read_issue!, only: [:show, :realtime_changes] + before_action :issue, except: [:index, :new, :create, :bulk_update] # Allow write(create) issue before_action :authorize_create_issue!, only: [:new, :create] @@ -229,18 +225,19 @@ class Projects::IssuesController < Projects::ApplicationController protected def issue + return @issue if defined?(@issue) # The Sortable default scope causes performance issues when used with find_by @noteable = @issue ||= @project.issues.where(iid: params[:id]).reorder(nil).take! + + return render_404 unless can?(current_user, :read_issue, @issue) + + @issue end alias_method :subscribable_resource, :issue alias_method :issuable, :issue alias_method :awardable, :issue alias_method :spammable, :issue - def authorize_read_issue! - return render_404 unless can?(current_user, :read_issue, @issue) - end - def authorize_update_issue! return render_404 unless can?(current_user, :update_issue, @issue) end |