Merge branch 'security-12717-fix-confidential-issue-assignee-visible-to-guests-12-3' into '12-3-stable'

Display only participants that user has permission to see See merge request gitlab/gitlabhq!3421
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-09-26 13:53:25 +0000
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-09-26 13:53:25 +0000
commit: 9c86027ec0556f59cef63cfe352cd30fafeaa13b (patch)
tree: 108079ab39d6a574d48602e18e9482cae4e75284 /app
parent: f15977b0458bbb43964cdb476b00cde01b94260f (diff)
parent: d7cccb194162ef9f7881973bdfe9f1ebf24d880a (diff)
download: gitlab-ce-9c86027ec0556f59cef63cfe352cd30fafeaa13b.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/concerns/milestone_actions.rb b/app/controllers/concerns/milestone_actions.rb
index 8b8b7db72f8..1ead631663e 100644
--- a/app/controllers/concerns/milestone_actions.rb
+++ b/app/controllers/concerns/milestone_actions.rb
@@ -20,7 +20,7 @@ module MilestoneActions
       format.html { redirect_to milestone_redirect_path }
       format.json do
         render json: tabs_json("shared/milestones/_participants_tab", {
-          users: @milestone.participants # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          users: @milestone.issue_participants_visible_by_user(current_user) # rubocop:disable Gitlab/ModuleWithInstanceVariables
         })
       end
     end
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-09-26 13:53:25 +0000
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-09-26 13:53:25 +0000
commit	9c86027ec0556f59cef63cfe352cd30fafeaa13b (patch)
tree	108079ab39d6a574d48602e18e9482cae4e75284 /app
parent	f15977b0458bbb43964cdb476b00cde01b94260f (diff)
parent	d7cccb194162ef9f7881973bdfe9f1ebf24d880a (diff)
download	gitlab-ce-9c86027ec0556f59cef63cfe352cd30fafeaa13b.tar.gz