Merge branch 'security-2773-milestones-fix' into 'master'

[master] Check issue milestone availability See merge request gitlab/gitlabhq!2788
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 18:37:15 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 18:37:15 +0000
commit: 025015048f7eaad29ee7816c6040fb3e0c06eb8d (patch)
tree: 50d713b293ffd0dee44b715dd9c12621810f8fa5 /app/models/concerns/issuable.rb
parent: 6683298fe6d85bb0785906723663482798418907 (diff)
parent: 30ab6ee416783cd9481085f021603383eeb4f317 (diff)
download: gitlab-ce-025015048f7eaad29ee7816c6040fb3e0c06eb8d.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb
index 429a63f83cc..4182db6fcc7 100644
--- a/app/models/concerns/issuable.rb
+++ b/app/models/concerns/issuable.rb
@@ -75,6 +75,7 @@ module Issuable
 
     validates :author, presence: true
     validates :title, presence: true, length: { maximum: 255 }
+    validate :milestone_is_valid
 
     scope :authored, ->(user) { where(author_id: user) }
     scope :recent, -> { reorder(id: :desc) }
@@ -118,6 +119,16 @@ module Issuable
     def has_multiple_assignees?
       assignees.count > 1
     end
+
+    def milestone_available?
+      project_id == milestone&.project_id || project.ancestors_upto.compact.include?(milestone&.group)
+    end
+
+    private
+
+    def milestone_is_valid
+      errors.add(:milestone_id, message: "is invalid") if milestone_id.present? && !milestone_available?
+    end
   end
 
   class_methods do
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 18:37:15 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 18:37:15 +0000
commit	025015048f7eaad29ee7816c6040fb3e0c06eb8d (patch)
tree	50d713b293ffd0dee44b715dd9c12621810f8fa5 /app/models/concerns/issuable.rb
parent	6683298fe6d85bb0785906723663482798418907 (diff)
parent	30ab6ee416783cd9481085f021603383eeb4f317 (diff)
download	gitlab-ce-025015048f7eaad29ee7816c6040fb3e0c06eb8d.tar.gz