diff options
| author | Marin Jankovski <marin@gitlab.com> | 2014-06-30 11:38:03 +0200 |
|---|---|---|
| committer | Marin Jankovski <marin@gitlab.com> | 2014-06-30 11:38:03 +0200 |
| commit | d145f09cd675fa46a6cc20fac8304f02d2d14656 (patch) | |
| tree | fc4dea5f42832ffa6dca748bf0ae30a776889f75 /app/controllers/groups | |
| parent | e66a8b4cdab176ff89a685788dcbcac089712e49 (diff) | |
| download | gitlab-ce-d145f09cd675fa46a6cc20fac8304f02d2d14656.tar.gz | |
Correct authorization for group milestones.
Diffstat (limited to 'app/controllers/groups')
| -rw-r--r-- | app/controllers/groups/milestones_controller.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb index c4b87308e8b..281b2f0c90a 100644 --- a/app/controllers/groups/milestones_controller.rb +++ b/app/controllers/groups/milestones_controller.rb @@ -1,6 +1,8 @@ class Groups::MilestonesController < ApplicationController layout 'group' + before_filter :authorize_group_milestone!, only: :update + def index project_milestones = Milestone.where(project_id: group.projects) @group_milestones = Milestones::GroupService.new(project_milestones).execute @@ -47,4 +49,8 @@ class Groups::MilestonesController < ApplicationController def status(state) @group_milestones.map{ |milestone| next if milestone.state != state; milestone }.compact end + + def authorize_group_milestone! + return render_404 unless can?(current_user, :manage_group, group) + end end |