Prevent disclosing project milestone titles

Prevent unauthorized users having access to milestone titles through autocomplete endpoint.
author: Felipe Artur <felipefac@gmail.com> 2019-02-22 11:31:02 -0300
committer: Felipe Artur <felipefac@gmail.com> 2019-02-25 14:10:34 -0300
commit: 9d1b4509bcc98cc6f43011353ae96f05c8bdceb4 (patch)
tree: 2e36932096853e15b013320be285afdb0a7c8d92 /app
parent: c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)
download: gitlab-ce-9d1b4509bcc98cc6f43011353ae96f05c8bdceb4.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/app/controllers/projects/autocomplete_sources_controller.rb b/app/controllers/projects/autocomplete_sources_controller.rb
index 9c130af8394..0e3f13045ce 100644
--- a/app/controllers/projects/autocomplete_sources_controller.rb
+++ b/app/controllers/projects/autocomplete_sources_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Projects::AutocompleteSourcesController < Projects::ApplicationController
+  before_action :authorize_read_milestone!, only: :milestones
+
   def members
     render json: ::Projects::ParticipantsService.new(@project, current_user).execute(target)
   end
author	Felipe Artur <felipefac@gmail.com>	2019-02-22 11:31:02 -0300
committer	Felipe Artur <felipefac@gmail.com>	2019-02-25 14:10:34 -0300
commit	9d1b4509bcc98cc6f43011353ae96f05c8bdceb4 (patch)
tree	2e36932096853e15b013320be285afdb0a7c8d92 /app
parent	c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff)
download	gitlab-ce-9d1b4509bcc98cc6f43011353ae96f05c8bdceb4.tar.gz