diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-03-28 11:09:44 +0000 |
|---|---|---|
| committer | DJ Mountney <david@twkie.net> | 2017-03-29 19:18:38 -0700 |
| commit | 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch) | |
| tree | dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/views/shared | |
| parent | 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff) | |
| download | gitlab-ce-91f43587a8c05a5c2955f0b5c464f03688552cb6.tar.gz | |
Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id
See merge request !2077
Diffstat (limited to 'app/views/shared')
| -rw-r--r-- | app/views/shared/_group_form.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/shared/_group_form.html.haml b/app/views/shared/_group_form.html.haml index 7974eb67f0f..8869d510aef 100644 --- a/app/views/shared/_group_form.html.haml +++ b/app/views/shared/_group_form.html.haml @@ -1,4 +1,4 @@ -- parent = Group.find_by(id: params[:parent_id] || @group.parent_id) +- parent = GroupFinder.new(current_user).execute(id: params[:parent_id] || @group.parent_id) - group_path = root_url - group_path << parent.full_path + '/' if parent - if @group.persisted? |