diff options
author | Rubén Dávila <ruben@gitlab.com> | 2017-12-11 09:53:31 -0500 |
---|---|---|
committer | Rubén Dávila <ruben@gitlab.com> | 2017-12-11 09:53:31 -0500 |
commit | 429302b34c5d66bd79f49284964cfc21db794ba7 (patch) | |
tree | 586f615c6b70b46b81eee51339ad358a427ef429 /app/controllers/projects/project_members_controller.rb | |
parent | 806a68a81f1baeed07c146b1b5d9eb77796c46ba (diff) | |
download | gitlab-ce-429302b34c5d66bd79f49284964cfc21db794ba7.tar.gz |
Bugfix: User can't change the access level of an access requester
The endpoint was returning 404 because it was only searching on the
current members of a Group or Project and not the access requesters.
Diffstat (limited to 'app/controllers/projects/project_members_controller.rb')
-rw-r--r-- | app/controllers/projects/project_members_controller.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb index d925dcd21ff..5a01a59481b 100644 --- a/app/controllers/projects/project_members_controller.rb +++ b/app/controllers/projects/project_members_controller.rb @@ -26,7 +26,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController end def update - @project_member = @project.project_members.find(params[:id]) + @project_member = @project.members_and_requesters.find(params[:id]) return render_403 unless can?(current_user, :update_project_member, @project_member) |