diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:36:52 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-03-04 18:36:52 +0000 |
commit | b50ad884608668c5db50eb1b0287f613e32aef25 (patch) | |
tree | 0e2fd877999ae2d3ab1e83b62a4d69ad4ab2e9ea /lib/api/projects.rb | |
parent | 03340f0987ac61ef4c884d4730e2fd3cbff113c5 (diff) | |
parent | 211c4e5985bf40afe7cf2391c76a6cfde153fb49 (diff) | |
download | gitlab-ce-b50ad884608668c5db50eb1b0287f613e32aef25.tar.gz |
Merge branch '2802-security-add-public-internal-groups-as-members-to-your-project-idor' into 'master'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2898
Diffstat (limited to 'lib/api/projects.rb')
-rw-r--r-- | lib/api/projects.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/lib/api/projects.rb b/lib/api/projects.rb index b23fe6cd4e7..c832f2cce42 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -442,27 +442,24 @@ module API end params do requires :group_id, type: Integer, desc: 'The ID of a group' - requires :group_access, type: Integer, values: Gitlab::Access.values, desc: 'The group access level' + requires :group_access, type: Integer, values: Gitlab::Access.values, as: :link_group_access, desc: 'The group access level' optional :expires_at, type: Date, desc: 'Share expiration date' end post ":id/share" do authorize! :admin_project, user_project group = Group.find_by_id(params[:group_id]) - unless group && can?(current_user, :read_group, group) - not_found!('Group') - end - unless user_project.allowed_to_share_with_group? break render_api_error!("The project sharing with group is disabled", 400) end - link = user_project.project_group_links.new(declared_params(include_missing: false)) + result = ::Projects::GroupLinks::CreateService.new(user_project, current_user, declared_params(include_missing: false)) + .execute(group) - if link.save - present link, with: Entities::ProjectGroupLink + if result[:status] == :success + present result[:link], with: Entities::ProjectGroupLink else - render_api_error!(link.errors.full_messages.first, 409) + render_api_error!(result[:message], result[:http_status]) end end |