diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-01-03 18:03:13 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2017-01-23 13:54:35 -0500 |
| commit | 3a5df1d8fc518900d8e33a6be8a2243e399c754a (patch) | |
| tree | 73e2ef9be53a013e3756a8d0e5ba9d9309bb5918 /lib/api/helpers.rb | |
| parent | d7755ede246988e3186a46b2c9fbd1b70660b529 (diff) | |
| download | gitlab-ce-3a5df1d8fc518900d8e33a6be8a2243e399c754a.tar.gz | |
Merge branch 'fix-api-mr-permissions' into 'security'
Ensure that only privileged users can access merge requests in the API
See merge request !2053
Diffstat (limited to 'lib/api/helpers.rb')
| -rw-r--r-- | lib/api/helpers.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 49c5f0652ab..a1d7b323f4f 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -90,6 +90,12 @@ module API MergeRequestsFinder.new(current_user, project_id: user_project.id).find(id) end + def find_merge_request_with_access(id, access_level = :read_merge_request) + merge_request = user_project.merge_requests.find(id) + authorize! access_level, merge_request + merge_request + end + def authenticate! unauthorized! unless current_user end |