Add check for access to Namespace

author: Rubén Dávila <ruben@gitlab.com> 2017-08-30 12:24:49 -0500
committer: Rubén Dávila <ruben@gitlab.com> 2017-08-30 12:24:49 -0500
commit: b9b0b37b3695d5925c3ba6cd90cdefcc3c67ba6e (patch)
tree: 48e37db043f5c5f487be6d992805aa60432dd3f7 /app/controllers/projects_controller.rb
parent: 6f03ddcdc3af1fbb840498a0e4765458079f0b0f (diff)
download: gitlab-ce-b9b0b37b3695d5925c3ba6cd90cdefcc3c67ba6e.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 51cf37b9438..ed17b3b4689 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -20,7 +20,10 @@ class ProjectsController < Projects::ApplicationController
   end
 
   def new
-    @project ||= Project.new(params.permit(:namespace_id))
+    namespace = Namespace.find_by(id: params[:namespace_id]) if params[:namespace_id]
+    return access_denied! if namespace && !can?(current_user, :create_projects, namespace)
+
+    @project = Project.new(namespace_id: namespace&.id)
   end
 
   def edit
author	Rubén Dávila <ruben@gitlab.com>	2017-08-30 12:24:49 -0500
committer	Rubén Dávila <ruben@gitlab.com>	2017-08-30 12:24:49 -0500
commit	b9b0b37b3695d5925c3ba6cd90cdefcc3c67ba6e (patch)
tree	48e37db043f5c5f487be6d992805aa60432dd3f7 /app/controllers/projects_controller.rb
parent	6f03ddcdc3af1fbb840498a0e4765458079f0b0f (diff)
download	gitlab-ce-b9b0b37b3695d5925c3ba6cd90cdefcc3c67ba6e.tar.gz