summaryrefslogtreecommitdiff
path: root/lib/api/v3/notes.rb
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2017-08-10 12:39:26 -0400
committerRobert Speicher <rspeicher@gmail.com>2017-08-14 12:14:11 -0400
commit260c8da060a6039cbd47cfe31c8ec6d6f9b43de0 (patch)
treebd6dd444c6f416c7209d88bf80e0e9322037758d /lib/api/v3/notes.rb
parenta64760d6d0a9bc0ce0747de349d37f3c46a1c221 (diff)
downloadgitlab-ce-260c8da060a6039cbd47cfe31c8ec6d6f9b43de0.tar.gz
Whitelist or fix additional `Gitlab/PublicSend` cop violationsrs-more-public-send-whitelists
An upcoming update to rubocop-gitlab-security added additional violations.
Diffstat (limited to 'lib/api/v3/notes.rb')
-rw-r--r--lib/api/v3/notes.rb6
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/api/v3/notes.rb b/lib/api/v3/notes.rb
index 23fe95e42e4..d49772b92f2 100644
--- a/lib/api/v3/notes.rb
+++ b/lib/api/v3/notes.rb
@@ -22,7 +22,7 @@ module API
use :pagination
end
get ":id/#{noteables_str}/:noteable_id/notes" do
- noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
+ noteable = user_project.public_send(noteables_str.to_sym).find(params[:noteable_id]) # rubocop:disable GitlabSecurity/PublicSend
if can?(current_user, noteable_read_ability_name(noteable), noteable)
# We exclude notes that are cross-references and that cannot be viewed
@@ -50,7 +50,7 @@ module API
requires :noteable_id, type: Integer, desc: 'The ID of the noteable'
end
get ":id/#{noteables_str}/:noteable_id/notes/:note_id" do
- noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
+ noteable = user_project.public_send(noteables_str.to_sym).find(params[:noteable_id]) # rubocop:disable GitlabSecurity/PublicSend
note = noteable.notes.find(params[:note_id])
can_read_note = can?(current_user, noteable_read_ability_name(noteable), noteable) && !note.cross_reference_not_visible_for?(current_user)
@@ -76,7 +76,7 @@ module API
noteable_id: params[:noteable_id]
}
- noteable = user_project.send(noteables_str.to_sym).find(params[:noteable_id])
+ noteable = user_project.public_send(noteables_str.to_sym).find(params[:noteable_id]) # rubocop:disable GitlabSecurity/PublicSend
if can?(current_user, noteable_read_ability_name(noteable), noteable)
if params[:created_at] && (current_user.admin? || user_project.owner == current_user)