diff options
author | drew cimino <dcimino@gitlab.com> | 2019-06-28 10:40:34 -0400 |
---|---|---|
committer | drew cimino <dcimino@gitlab.com> | 2019-07-05 11:41:48 -0400 |
commit | 72f3fdc7a116ec79e2450bf9095aeb73d4e1ad31 (patch) | |
tree | adda08f5e5eb14d5faf941c0bcb59b4d6ab215e9 /app | |
parent | b85e6215a854a02fbb63c4e3be9998fc9fd4e58a (diff) | |
download | gitlab-ce-72f3fdc7a116ec79e2450bf9095aeb73d4e1ad31.tar.gz |
Use MergeRequest#source_project as permissions reference for MergeRequest#all_pipelines
MergeRequest#all_pipelines fetches Ci::Pipeline records from the source
project, so we should specifically check that project for permissions.
This was already happening for intra-project merge requests, but in the
event that the target and source projects both have private builds, we
should ensure that the project permissions are respected.
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/merge_requests/application_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/merge_requests_controller.rb | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/projects/merge_requests/application_controller.rb b/app/controllers/projects/merge_requests/application_controller.rb index eb469d2d714..4a31f1f3d57 100644 --- a/app/controllers/projects/merge_requests/application_controller.rb +++ b/app/controllers/projects/merge_requests/application_controller.rb @@ -41,7 +41,7 @@ class Projects::MergeRequests::ApplicationController < Projects::ApplicationCont def set_pipeline_variables @pipelines = - if can?(current_user, :read_pipeline, @project) + if can?(current_user, :read_pipeline, @merge_request.source_project) @merge_request.all_pipelines else Ci::Pipeline.none diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index 8f177895b08..ea3d68449bd 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -82,7 +82,8 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo end def pipelines - @pipelines = @merge_request.all_pipelines.page(params[:page]).per(30) + set_pipeline_variables + @pipelines = @pipelines.page(params[:page]).per(30) Gitlab::PollingInterval.set_header(response, interval: 10_000) |