Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

author: John Jarvis <jarv@gitlab.com> 2019-01-01 22:52:05 +0100
committer: John Jarvis <jarv@gitlab.com> 2019-01-01 22:52:05 +0100
commit: 638582e00108995804d44b451197fe977fbd0f01 (patch)
tree: a903f7736fde5e807cf6df64f024e686ee16b22f /app/controllers
parent: 895355724586574634f0ffdde7a70ca53a19be17 (diff)
parent: ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (diff)
download: gitlab-ce-638582e00108995804d44b451197fe977fbd0f01.tar.gz
4 files changed, 19 insertions, 5 deletions
diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb
index c1dcc463de7..f476f428fdb 100644
--- a/app/controllers/groups/settings/ci_cd_controller.rb
+++ b/app/controllers/groups/settings/ci_cd_controller.rb
@@ -4,7 +4,7 @@ module Groups
   module Settings
     class CiCdController < Groups::ApplicationController
       skip_cross_project_access_check :show
-      before_action :authorize_admin_pipeline!
+      before_action :authorize_admin_group!
 
       def show
         define_ci_variables
@@ -26,8 +26,8 @@ module Groups
           .map { |variable| variable.present(current_user: current_user) }
       end
 
-      def authorize_admin_pipeline!
-        return render_404 unless can?(current_user, :admin_pipeline, group)
+      def authorize_admin_group!
+        return render_404 unless can?(current_user, :admin_group, group)
       end
     end
   end
diff --git a/app/controllers/projects/snippets_controller.rb b/app/controllers/projects/snippets_controller.rb
index a44acb12bdf..255f1f3569a 100644
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@@ -75,7 +75,14 @@ class Projects::SnippetsController < Projects::ApplicationController
       format.json do
         render_blob_json(blob)
       end
-      format.js { render 'shared/snippets/show'}
+
+      format.js do
+        if @snippet.embeddable?
+          render 'shared/snippets/show'
+        else
+          head :not_found
+        end
+      end
     end
   end
 
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 8bf93bfd68d..878816475b2 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -19,6 +19,7 @@ class ProjectsController < Projects::ApplicationController
   before_action :lfs_blob_ids, only: [:show], if: [:repo_exists?, :project_view_files?]
   before_action :project_export_enabled, only: [:export, :download_export, :remove_export, :generate_new_export]
   before_action :present_project, only: [:edit]
+  before_action :authorize_download_code!, only: [:refs]
 
   # Authorize
   before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export, :remove_export, :generate_new_export]
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index dd9bf17cf0c..8ea5450b4e8 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -80,7 +80,13 @@ class SnippetsController < ApplicationController
         render_blob_json(blob)
       end
 
-      format.js { render 'shared/snippets/show' }
+      format.js do
+        if @snippet.embeddable?
+          render 'shared/snippets/show'
+        else
+          head :not_found
+        end
+      end
     end
   end
author	John Jarvis <jarv@gitlab.com>	2019-01-01 22:52:05 +0100
committer	John Jarvis <jarv@gitlab.com>	2019-01-01 22:52:05 +0100
commit	638582e00108995804d44b451197fe977fbd0f01 (patch)
tree	a903f7736fde5e807cf6df64f024e686ee16b22f /app/controllers
parent	895355724586574634f0ffdde7a70ca53a19be17 (diff)
parent	ec4ade500e5eb7060b4b79f6bed2f474ce03a851 (diff)
download	gitlab-ce-638582e00108995804d44b451197fe977fbd0f01.tar.gz