Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-11 03:09:13 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-02-11 03:09:13 +0000
commit: ea99abb145ed193c2ac5d19efbff3b8990a54c9c (patch)
tree: c4f3870175c3334d0842eb429b5395a7845c2528 /app/controllers/groups/boards_controller.rb
parent: a9104a50136e485c8dda7af37106332f9010a1e8 (diff)
download: gitlab-ce-ea99abb145ed193c2ac5d19efbff3b8990a54c9c.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/app/controllers/groups/boards_controller.rb b/app/controllers/groups/boards_controller.rb
index 8c9bf17f017..fab84fb8299 100644
--- a/app/controllers/groups/boards_controller.rb
+++ b/app/controllers/groups/boards_controller.rb
@@ -4,6 +4,7 @@ class Groups::BoardsController < Groups::ApplicationController
   include BoardsActions
   include RecordUserLastActivity
 
+  before_action :authorize_read_board!, only: [:index, :show]
   before_action :assign_endpoint_vars
   before_action do
     push_frontend_feature_flag(:multi_select_board, default_enabled: true)
@@ -16,4 +17,8 @@ class Groups::BoardsController < Groups::ApplicationController
     @namespace_path = group.to_param
     @labels_endpoint = group_labels_url(group)
   end
+
+  def authorize_read_board!
+    access_denied! unless can?(current_user, :read_board, group)
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-11 03:09:13 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-02-11 03:09:13 +0000
commit	ea99abb145ed193c2ac5d19efbff3b8990a54c9c (patch)
tree	c4f3870175c3334d0842eb429b5395a7845c2528 /app/controllers/groups/boards_controller.rb
parent	a9104a50136e485c8dda7af37106332f9010a1e8 (diff)
download	gitlab-ce-ea99abb145ed193c2ac5d19efbff3b8990a54c9c.tar.gz