Merge branch 'fix-mr-create-permissions' into 'master'

Check permissions on target project in merge request create service.

See merge request !1183

1 files changed, 8 insertions, 2 deletions

diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb
index f431c5d5534..9651b16462c 100644
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
@@ -1,11 +1,17 @@
 module MergeRequests
   class CreateService < MergeRequests::BaseService
     def execute
+      # @project is used to determine whether the user can set the merge request's
+      # assignee, milestone and labels. Whether they can depends on their 
+      # permissions on the target project.
+      source_project = @project
+      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
+
       filter_params
       label_params = params[:label_ids]
       merge_request = MergeRequest.new(params.except(:label_ids))
-      merge_request.source_project = project
-      merge_request.target_project ||= project
+      merge_request.source_project = source_project
+      merge_request.target_project ||= source_project
       merge_request.author = current_user
 
       if merge_request.save