diff options
author | Felipe Artur <felipefac@gmail.com> | 2019-02-22 11:31:02 -0300 |
---|---|---|
committer | Felipe Artur <felipefac@gmail.com> | 2019-02-25 14:10:34 -0300 |
commit | 9d1b4509bcc98cc6f43011353ae96f05c8bdceb4 (patch) | |
tree | 2e36932096853e15b013320be285afdb0a7c8d92 /app | |
parent | c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff) | |
download | gitlab-ce-9d1b4509bcc98cc6f43011353ae96f05c8bdceb4.tar.gz |
Prevent disclosing project milestone titles
Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/autocomplete_sources_controller.rb | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/projects/autocomplete_sources_controller.rb b/app/controllers/projects/autocomplete_sources_controller.rb index 9c130af8394..0e3f13045ce 100644 --- a/app/controllers/projects/autocomplete_sources_controller.rb +++ b/app/controllers/projects/autocomplete_sources_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class Projects::AutocompleteSourcesController < Projects::ApplicationController + before_action :authorize_read_milestone!, only: :milestones + def members render json: ::Projects::ParticipantsService.new(@project, current_user).execute(target) end |