Permission fix for MergeRequestsController#pipeline_status

- Use set_pipeline_variables to filter for visible pipelines - Mimic response of nonexistent pipeline if not found - Provide set_pipeline_variables as a before_filter for other actions
author: drew cimino <dcimino@gitlab.com> 2019-07-22 14:16:15 -0400
committer: drew cimino <dcimino@gitlab.com> 2019-08-12 17:23:06 -0400
commit: 0b0ee2bc9df042ba7a7d4dc9135c45170ca65c93 (patch)
tree: e18888f19dddde1c00e7ba30926cace79e89a58b /changelogs
parent: 4016bcac51d6dc9c24eeae6688bf3a72820ca719 (diff)
download: gitlab-ce-0b0ee2bc9df042ba7a7d4dc9135c45170ca65c93.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-mr-head-pipeline-leak.yml
new file mode 100644
index 00000000000..b15b353ff41
--- /dev/null
+++ b/changelogs/unreleased/security-mr-head-pipeline-leak.yml
@@ -0,0 +1,5 @@
+---
+title: Check permissions before responding in MergeController#pipeline_status
+merge_request:
+author:
+type: security
author	drew cimino <dcimino@gitlab.com>	2019-07-22 14:16:15 -0400
committer	drew cimino <dcimino@gitlab.com>	2019-08-12 17:23:06 -0400
commit	0b0ee2bc9df042ba7a7d4dc9135c45170ca65c93 (patch)
tree	e18888f19dddde1c00e7ba30926cace79e89a58b /changelogs
parent	4016bcac51d6dc9c24eeae6688bf3a72820ca719 (diff)
download	gitlab-ce-0b0ee2bc9df042ba7a7d4dc9135c45170ca65c93.tar.gz