diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:10 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:37:10 +0000 |
commit | 6683298fe6d85bb0785906723663482798418907 (patch) | |
tree | fafecb6b03174e521879d21f81d8bf39120c51c5 /app/controllers/projects/commit_controller.rb | |
parent | a43fd6acb697edc897e930dee7c636e4d714565e (diff) | |
parent | 325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff) | |
download | gitlab-ce-6683298fe6d85bb0785906723663482798418907.tar.gz |
Merge branch 'security-commit-private-related-mr' into 'master'
Don't allow non-members to see private related MRs
Closes #2787
See merge request gitlab/gitlabhq!2866
Diffstat (limited to 'app/controllers/projects/commit_controller.rb')
-rw-r--r-- | app/controllers/projects/commit_controller.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb index b13c0ae3967..939a09d4fd2 100644 --- a/app/controllers/projects/commit_controller.rb +++ b/app/controllers/projects/commit_controller.rb @@ -65,7 +65,11 @@ class Projects::CommitController < Projects::ApplicationController # rubocop: enable CodeReuse/ActiveRecord def merge_requests - @merge_requests = @commit.merge_requests.map do |mr| + @merge_requests = MergeRequestsFinder.new( + current_user, + project_id: @project.id, + commit_sha: @commit.sha + ).execute.map do |mr| { iid: mr.iid, path: merge_request_path(mr), title: mr.title } end |