Use `GroupFinder` to check if a user can read a group

author: Bob Van Landuyt <bob@vanlanduyt.co> 2017-10-10 13:34:20 +0200
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2017-10-10 14:09:56 +0200
commit: 3fe7f31ac047e1b9ba3ae53cea17012ce2f7f3e7 (patch)
tree: db9592d83e076aecc416350848b09dd90d6e39e0 /app
parent: deb45634ae841d64d1756c4cc0dc3c442e171ba9 (diff)
download: gitlab-ce-3fe7f31ac047e1b9ba3ae53cea17012ce2f7f3e7.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index b1deb29c61f..8c2053e8574 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -60,12 +60,14 @@ class GroupsController < Groups::ApplicationController
 
   def children
     parent = if params[:parent_id].present?
-               Group.find(params[:parent_id])
+               GroupFinder.new(current_user).execute(id: params[:parent_id])
              else
                @group
              end
-    if parent.nil? || !can?(current_user, :read_group, parent)
+
+    if parent.nil?
       render_404
+      return
     end
 
     setup_children(parent)
author	Bob Van Landuyt <bob@vanlanduyt.co>	2017-10-10 13:34:20 +0200
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2017-10-10 14:09:56 +0200
commit	3fe7f31ac047e1b9ba3ae53cea17012ce2f7f3e7 (patch)
tree	db9592d83e076aecc416350848b09dd90d6e39e0 /app
parent	deb45634ae841d64d1756c4cc0dc3c442e171ba9 (diff)
download	gitlab-ce-3fe7f31ac047e1b9ba3ae53cea17012ce2f7f3e7.tar.gz