Merge branch 'zj-fix-label-creation-non-members' into 'security'

Fix label creation non members Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416 See merge request !2006
author: Douwe Maan <douwe@gitlab.com> 2016-11-10 10:23:44 +0000
committer: Alejandro Rodríguez <alejorro70@gmail.com> 2016-11-28 21:24:19 -0300
commit: 3d7704ae5f62446b8b399c796c64d1f527666376 (patch)
tree: 05790324eef305e2c2198366c7faa3767b5db8d8 /app/services/labels/find_or_create_service.rb
parent: ec5d0472288cac599d76a27870804e86fe29ffaf (diff)
download: gitlab-ce-3d7704ae5f62446b8b399c796c64d1f527666376.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/app/services/labels/find_or_create_service.rb b/app/services/labels/find_or_create_service.rb
index d622f9edd33..cf4f7606c94 100644
--- a/app/services/labels/find_or_create_service.rb
+++ b/app/services/labels/find_or_create_service.rb
@@ -22,9 +22,14 @@ module Labels
       ).execute(skip_authorization: skip_authorization)
     end
 
+    # Only creates the label if current_user can do so, if the label does not exist
+    # and the user can not create the label, nil is returned
     def find_or_create_label
       new_label = available_labels.find_by(title: title)
-      new_label ||= project.labels.create(params)
+
+      if new_label.nil? && (skip_authorization || Ability.allowed?(current_user, :admin_label, project))
+        new_label = project.labels.create(params)
+      end
 
       new_label
     end
author	Douwe Maan <douwe@gitlab.com>	2016-11-10 10:23:44 +0000
committer	Alejandro Rodríguez <alejorro70@gmail.com>	2016-11-28 21:24:19 -0300
commit	3d7704ae5f62446b8b399c796c64d1f527666376 (patch)
tree	05790324eef305e2c2198366c7faa3767b5db8d8 /app/services/labels/find_or_create_service.rb
parent	ec5d0472288cac599d76a27870804e86fe29ffaf (diff)
download	gitlab-ce-3d7704ae5f62446b8b399c796c64d1f527666376.tar.gz