diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 16:47:02 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-04 16:47:02 +0000 |
commit | d00f14d73f41129f9d986d4bec32f1f927b525a6 (patch) | |
tree | 93a8f2296ead9161cd71899e4f410e929ae33fb4 /app/services | |
parent | 1b6a590b197788a06a1ff726ea61630a49b10412 (diff) | |
download | gitlab-ce-d00f14d73f41129f9d986d4bec32f1f927b525a6.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/feature_flags/update_service.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/services/feature_flags/update_service.rb b/app/services/feature_flags/update_service.rb index ed5e2e794b4..d956d4b3357 100644 --- a/app/services/feature_flags/update_service.rb +++ b/app/services/feature_flags/update_service.rb @@ -10,6 +10,7 @@ module FeatureFlags def execute(feature_flag) return error('Access Denied', 403) unless can_update?(feature_flag) + return error('Not Found', 404) unless valid_user_list_ids?(feature_flag, user_list_ids(params)) ActiveRecord::Base.transaction do feature_flag.assign_attributes(params) @@ -87,5 +88,15 @@ module FeatureFlags def can_update?(feature_flag) Ability.allowed?(current_user, :update_feature_flag, feature_flag) end + + def user_list_ids(params) + params.fetch(:strategies_attributes, []) + .select { |s| s[:user_list_id].present? } + .map { |s| s[:user_list_id] } + end + + def valid_user_list_ids?(feature_flag, user_list_ids) + user_list_ids.empty? || ::Operations::FeatureFlags::UserList.belongs_to?(feature_flag.project_id, user_list_ids) + end end end |