diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:19:41 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:19:41 +0000 |
commit | a738d03187624132ec1041e41cfda09401a5ffa4 (patch) | |
tree | de3a9f3fdb5d69b94965ef6efe1327d969c2da13 /app | |
parent | 361151f1d7c62ac5371605de4a6b8b3e3a7ae3ad (diff) | |
parent | d2c83f40498fc76388779cd3f42f9c6ea6fed555 (diff) | |
download | gitlab-ce-a738d03187624132ec1041e41cfda09401a5ffa4.tar.gz |
Merge branch 'security-add-public-internal-groups-as-members-to-your-project-idor-11-8' into '11-8-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2962
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/group_links_controller.rb | 5 | ||||
-rw-r--r-- | app/services/projects/group_links/create_service.rb | 10 |
2 files changed, 11 insertions, 4 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 7c713c19762..bc942ba9288 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -13,9 +13,10 @@ class Projects::GroupLinksController < Projects::ApplicationController group = Group.find(params[:link_group_id]) if params[:link_group_id].present? if group - return render_404 unless can?(current_user, :read_group, group) + result = Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + return render_404 if result[:http_status] == 404 - Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + flash[:alert] = result[:message] if result[:http_status] == 409 else flash[:alert] = 'Please select a group.' end diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb index 1392775f805..e3d5bea0852 100644 --- a/app/services/projects/group_links/create_service.rb +++ b/app/services/projects/group_links/create_service.rb @@ -4,13 +4,19 @@ module Projects module GroupLinks class CreateService < BaseService def execute(group) - return false unless group + return error('Not Found', 404) unless group && can?(current_user, :read_namespace, group) - project.project_group_links.create( + link = project.project_group_links.new( group: group, group_access: params[:link_group_access], expires_at: params[:expires_at] ) + + if link.save + success(link: link) + else + error(link.errors.full_messages.to_sentence, 409) + end end end end |