diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
| commit | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (patch) | |
| tree | d9b28159a53c3814c8a2e6b33a5f01557b757439 /app/controllers | |
| parent | 2b0b97e746e327c6168505df7740e667b690a27f (diff) | |
| download | gitlab-ce-11e9b7b58837da351f08c18e6f0f4faba4d7d301.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/groups/application_controller.rb | 12 | ||||
| -rw-r--r-- | app/controllers/groups/deploy_tokens_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/groups/settings/repository_controller.rb | 2 |
3 files changed, 14 insertions, 2 deletions
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb index 0760bdf1e01..84c8d7ada43 100644 --- a/app/controllers/groups/application_controller.rb +++ b/app/controllers/groups/application_controller.rb @@ -34,6 +34,18 @@ class Groups::ApplicationController < ApplicationController end end + def authorize_create_deploy_token! + unless can?(current_user, :create_deploy_token, group) + return render_404 + end + end + + def authorize_destroy_deploy_token! + unless can?(current_user, :destroy_deploy_token, group) + return render_404 + end + end + def authorize_admin_group_member! unless can?(current_user, :admin_group_member, group) return render_403 diff --git a/app/controllers/groups/deploy_tokens_controller.rb b/app/controllers/groups/deploy_tokens_controller.rb index 6bb075fd115..de951f2cb9f 100644 --- a/app/controllers/groups/deploy_tokens_controller.rb +++ b/app/controllers/groups/deploy_tokens_controller.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true class Groups::DeployTokensController < Groups::ApplicationController - before_action :authorize_admin_group! + before_action :authorize_destroy_deploy_token! def revoke @token = @group.deploy_tokens.find(params[:id]) diff --git a/app/controllers/groups/settings/repository_controller.rb b/app/controllers/groups/settings/repository_controller.rb index 4af5e613296..e2fbdc39692 100644 --- a/app/controllers/groups/settings/repository_controller.rb +++ b/app/controllers/groups/settings/repository_controller.rb @@ -4,7 +4,7 @@ module Groups module Settings class RepositoryController < Groups::ApplicationController skip_cross_project_access_check :show - before_action :authorize_admin_group! + before_action :authorize_create_deploy_token! before_action :define_deploy_token_variables before_action do push_frontend_feature_flag(:ajax_new_deploy_token, @group) |