summaryrefslogtreecommitdiff
path: root/app/services
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-11-10 10:23:44 +0000
committerAlejandro Rodríguez <alejorro70@gmail.com>2016-11-28 21:24:19 -0300
commit3d7704ae5f62446b8b399c796c64d1f527666376 (patch)
tree05790324eef305e2c2198366c7faa3767b5db8d8 /app/services
parentec5d0472288cac599d76a27870804e86fe29ffaf (diff)
downloadgitlab-ce-3d7704ae5f62446b8b399c796c64d1f527666376.tar.gz
Merge branch 'zj-fix-label-creation-non-members' into 'security'
Fix label creation non members Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23416 See merge request !2006
Diffstat (limited to 'app/services')
-rw-r--r--app/services/issuable_base_service.rb8
-rw-r--r--app/services/labels/find_or_create_service.rb7
2 files changed, 11 insertions, 4 deletions
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index d698b295e6d..ce68e433ab8 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -85,14 +85,15 @@ class IssuableBaseService < BaseService
def find_or_create_label_ids
labels = params.delete(:labels)
+
return unless labels
- params[:label_ids] = labels.split(',').map do |label_name|
+ params[:label_ids] = labels.split(",").map do |label_name|
service = Labels::FindOrCreateService.new(current_user, project, title: label_name.strip)
label = service.execute
- label.id
- end
+ label.try(:id)
+ end.compact
end
def process_label_ids(attributes, existing_label_ids: nil)
@@ -140,6 +141,7 @@ class IssuableBaseService < BaseService
params.delete(:state_event)
params[:author] ||= current_user
+
label_ids = process_label_ids(params)
issuable.assign_attributes(params)
diff --git a/app/services/labels/find_or_create_service.rb b/app/services/labels/find_or_create_service.rb
index d622f9edd33..cf4f7606c94 100644
--- a/app/services/labels/find_or_create_service.rb
+++ b/app/services/labels/find_or_create_service.rb
@@ -22,9 +22,14 @@ module Labels
).execute(skip_authorization: skip_authorization)
end
+ # Only creates the label if current_user can do so, if the label does not exist
+ # and the user can not create the label, nil is returned
def find_or_create_label
new_label = available_labels.find_by(title: title)
- new_label ||= project.labels.create(params)
+
+ if new_label.nil? && (skip_authorization || Ability.allowed?(current_user, :admin_label, project))
+ new_label = project.labels.create(params)
+ end
new_label
end