diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-08-08 16:29:45 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-08-19 11:51:55 -0300 |
commit | fb93142488cfb79bac45f184b7945018550bf326 (patch) | |
tree | f387e1df2b8b708ca73b836cccc5c03831eb9458 /app/helpers/emails_helper.rb | |
parent | 1dfbb27f6e8d01023564eededff2a0ba1a04badc (diff) | |
download | gitlab-ce-fb93142488cfb79bac45f184b7945018550bf326.tar.gz |
Prevent disclosure of merge request id via email
Do not disclosure merge request id via email for unauthorized users
when closing issues.
Diffstat (limited to 'app/helpers/emails_helper.rb')
-rw-r--r-- | app/helpers/emails_helper.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/app/helpers/emails_helper.rb b/app/helpers/emails_helper.rb index 36122d3a22a..23596769738 100644 --- a/app/helpers/emails_helper.rb +++ b/app/helpers/emails_helper.rb @@ -90,6 +90,8 @@ module EmailsHelper when MergeRequest merge_request = MergeRequest.find(closed_via[:id]).present + return "" unless Ability.allowed?(@recipient, :read_merge_request, merge_request) + case format when :html merge_request_link = link_to(merge_request.to_reference, merge_request.web_url) @@ -102,6 +104,8 @@ module EmailsHelper # Technically speaking this should be Commit but per # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/15610#note_163812339 # we can't deserialize Commit without custom serializer for ActiveJob + return "" unless Ability.allowed?(@recipient, :download_code, @project) + _("via %{closed_via}") % { closed_via: closed_via } else "" |