diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-01-25 15:42:41 +0200 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-01-25 15:42:41 +0200 |
commit | 3ddd9f753c0a6a57313ea4860bf7167f98f53cd2 (patch) | |
tree | a6cef7e57fde4fedcc4ced7710a1631198a2f7b0 /app/controllers/application_controller.rb | |
parent | 70e05801b196a460ec2b1d6f6f096f44d32b7928 (diff) | |
download | gitlab-ce-3ddd9f753c0a6a57313ea4860bf7167f98f53cd2.tar.gz |
Fix mass-assignment. Dont allow users w/o access to create team
Diffstat (limited to 'app/controllers/application_controller.rb')
-rw-r--r-- | app/controllers/application_controller.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f903c7fdd62..74125e3308a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base return access_denied! unless can?(current_user, :download_code, project) end + def authorize_create_team! + return access_denied! unless can?(current_user, :create_team, nil) + end + def authorize_manage_user_team! return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team) end |