Check permissions when sharing project with group

Closes #15330
author: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-04-18 10:56:10 +0200
committer: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-04-19 12:15:56 +0200
commit: f2e3868124c1b0acef4eb57ffc42577b74fab334 (patch)
tree: 37566103fc86ac47ad62dfbce2c502a7cc347509 /app/controllers
parent: f1907ffd34bf8685006f7bccdd3560e7ac6b1424 (diff)
download: gitlab-ce-f2e3868124c1b0acef4eb57ffc42577b74fab334.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 4159e53bfa9..92113b9dd87 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -7,10 +7,16 @@ class Projects::GroupLinksController < Projects::ApplicationController
   end
 
   def create
-    link = project.project_group_links.new
-    link.group_id = params[:link_group_id]
-    link.group_access = params[:link_group_access]
-    link.save
+    group = Group.find(params[:link_group_id])
+
+    if can?(current_user, :read_group, group)
+      link = project.project_group_links.new
+      link.group_id = params[:link_group_id]
+      link.group_access = params[:link_group_access]
+      link.save
+    else
+      return render_404
+    end
 
     redirect_to namespace_project_group_links_path(project.namespace, project)
   end
author	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-04-18 10:56:10 +0200
committer	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-04-19 12:15:56 +0200
commit	f2e3868124c1b0acef4eb57ffc42577b74fab334 (patch)
tree	37566103fc86ac47ad62dfbce2c502a7cc347509 /app/controllers
parent	f1907ffd34bf8685006f7bccdd3560e7ac6b1424 (diff)
download	gitlab-ce-f2e3868124c1b0acef4eb57ffc42577b74fab334.tar.gz