diff options
author | Sean McGivern <sean@gitlab.com> | 2017-07-27 15:36:39 +0100 |
---|---|---|
committer | Sean McGivern <sean@gitlab.com> | 2017-07-28 16:25:13 +0100 |
commit | 75d04f6a29a5506ffd53c227517411febdc54910 (patch) | |
tree | 9e1234843c638abe5e34299d21348c5bf885a5ec /app/controllers | |
parent | 9981814514742a2ee507d4dcc2fd71099fd96585 (diff) | |
download | gitlab-ce-75d04f6a29a5506ffd53c227517411febdc54910.tar.gz |
Fix replying to commit comments on MRs from forks
A commit comment shows in the MR, but if the MR is from a fork, it will have a
different project ID to the MR's target project. In that case, add an
note_project_id param so that we can pick the correct project for the note.
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/concerns/notes_actions.rb | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb index a57d9e6e6c0..af5f683bab5 100644 --- a/app/controllers/concerns/notes_actions.rb +++ b/app/controllers/concerns/notes_actions.rb @@ -4,6 +4,7 @@ module NotesActions included do before_action :authorize_admin_note!, only: [:update, :destroy] + before_action :note_project, only: [:create] end def index @@ -28,7 +29,8 @@ module NotesActions merge_request_diff_head_sha: params[:merge_request_diff_head_sha], in_reply_to_discussion_id: params[:in_reply_to_discussion_id] ) - @note = Notes::CreateService.new(project, current_user, create_params).execute + + @note = Notes::CreateService.new(note_project, current_user, create_params).execute if @note.is_a?(Note) Banzai::NoteRenderer.render([@note], @project, current_user) @@ -177,4 +179,22 @@ module NotesActions def notes_finder @notes_finder ||= NotesFinder.new(project, current_user, finder_params) end + + def note_project + return @note_project if defined?(@note_project) + return nil unless project + + note_project_id = params[:note_project_id] + + @note_project = + if note_project_id.present? + Project.find(note_project_id) + else + project + end + + return access_denied! unless can?(current_user, :create_note, @note_project) + + @note_project + end end |