Respond with 403 when non-member requests for private MRs

author: Patrick Bajao <ebajao@gitlab.com> 2019-01-25 15:44:50 +0800
committer: Patrick Bajao <ebajao@gitlab.com> 2019-01-28 15:10:07 +0800
commit: 276147c1f6c54ae87941953ec62d0d674c12f462 (patch)
tree: 5fb3b93031499e7d47bad9ae88047cb2ca2e37a7 /lib/api/commits.rb
parent: 35d4344edf5eec007d18acddbf40354646aa148e (diff)
download: gitlab-ce-276147c1f6c54ae87941953ec62d0d674c12f462.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 9d23daafe95..41cb3e17af8 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -318,6 +318,8 @@ module API
         use :pagination
       end
       get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
+        authorize! :read_merge_request, user_project
+
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
author	Patrick Bajao <ebajao@gitlab.com>	2019-01-25 15:44:50 +0800
committer	Patrick Bajao <ebajao@gitlab.com>	2019-01-28 15:10:07 +0800
commit	276147c1f6c54ae87941953ec62d0d674c12f462 (patch)
tree	5fb3b93031499e7d47bad9ae88047cb2ca2e37a7 /lib/api/commits.rb
parent	35d4344edf5eec007d18acddbf40354646aa148e (diff)
download	gitlab-ce-276147c1f6c54ae87941953ec62d0d674c12f462.tar.gz