Correct authorization for group milestones.

author: Marin Jankovski <marin@gitlab.com> 2014-06-30 11:38:03 +0200
committer: Marin Jankovski <marin@gitlab.com> 2014-06-30 11:38:03 +0200
commit: d145f09cd675fa46a6cc20fac8304f02d2d14656 (patch)
tree: fc4dea5f42832ffa6dca748bf0ae30a776889f75 /app/controllers/groups/milestones_controller.rb
parent: e66a8b4cdab176ff89a685788dcbcac089712e49 (diff)
download: gitlab-ce-d145f09cd675fa46a6cc20fac8304f02d2d14656.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb
index c4b87308e8b..281b2f0c90a 100644
--- a/app/controllers/groups/milestones_controller.rb
+++ b/app/controllers/groups/milestones_controller.rb
@@ -1,6 +1,8 @@
 class Groups::MilestonesController < ApplicationController
   layout 'group'
 
+  before_filter :authorize_group_milestone!, only: :update
+
   def index
     project_milestones = Milestone.where(project_id: group.projects)
     @group_milestones = Milestones::GroupService.new(project_milestones).execute
@@ -47,4 +49,8 @@ class Groups::MilestonesController < ApplicationController
   def status(state)
     @group_milestones.map{ |milestone| next if milestone.state != state; milestone }.compact
   end
+
+  def authorize_group_milestone!
+    return render_404 unless can?(current_user, :manage_group, group)
+  end
 end
author	Marin Jankovski <marin@gitlab.com>	2014-06-30 11:38:03 +0200
committer	Marin Jankovski <marin@gitlab.com>	2014-06-30 11:38:03 +0200
commit	d145f09cd675fa46a6cc20fac8304f02d2d14656 (patch)
tree	fc4dea5f42832ffa6dca748bf0ae30a776889f75 /app/controllers/groups/milestones_controller.rb
parent	e66a8b4cdab176ff89a685788dcbcac089712e49 (diff)
download	gitlab-ce-d145f09cd675fa46a6cc20fac8304f02d2d14656.tar.gz