diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-02 22:29:43 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-02 22:29:43 +0000 |
commit | c7c74818948dbc63a284bb617b2af1937f999cc8 (patch) | |
tree | e34c4d4103dca7b2877e766f540415d4cf10a085 /app/controllers | |
parent | 6cb0610108a079ae27d96d61c48216a9f3b0c476 (diff) | |
download | gitlab-ce-c7c74818948dbc63a284bb617b2af1937f999cc8.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/invites_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/projects/pipelines_controller.rb | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index e6aae144da6..3c81b698546 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -20,7 +20,7 @@ class InvitesController < ApplicationController end def accept - if member.accept_invite!(current_user) + if current_user_matches_invite? && member.accept_invite!(current_user) redirect_to invite_details[:path], notice: helpers.invite_accepted_notice(member) else redirect_back_or_default(options: { alert: _("The invitation could not be accepted.") }) @@ -52,7 +52,7 @@ class InvitesController < ApplicationController end def current_user_matches_invite? - @member.invite_email == current_user.email + current_user.verified_emails.include?(@member.invite_email) end def member? diff --git a/app/controllers/projects/pipelines_controller.rb b/app/controllers/projects/pipelines_controller.rb index b4196878c4f..0f7dc2afd0d 100644 --- a/app/controllers/projects/pipelines_controller.rb +++ b/app/controllers/projects/pipelines_controller.rb @@ -8,7 +8,7 @@ class Projects::PipelinesController < Projects::ApplicationController before_action :pipeline, except: [:index, :new, :create, :charts, :config_variables] before_action :set_pipeline_path, only: [:show] before_action :authorize_read_pipeline! - before_action :authorize_read_build!, only: [:index] + before_action :authorize_read_build!, only: [:index, :show] before_action :authorize_read_analytics!, only: [:charts] before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables] before_action :authorize_update_pipeline!, only: [:retry, :cancel] |