summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDouglas Barbosa Alexandre <dbalexandre@gmail.com>2016-03-17 17:45:00 -0300
committerDouglas Barbosa Alexandre <dbalexandre@gmail.com>2016-03-17 20:55:59 -0300
commite4f1c001e6886d6001a258bf2fad75f8b424eff1 (patch)
tree3c3ddc8b75ef1729adf69f1214b8c1d05ac3e9dd /lib
parent7ee528336ad86e478b6db6d0039aec607c8f0192 (diff)
downloadgitlab-ce-e4f1c001e6886d6001a258bf2fad75f8b424eff1.tar.gz
Restrict access to confidential issues through API
Diffstat (limited to 'lib')
-rw-r--r--lib/api/issues.rb3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 252744515da..fda6f841438 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -82,7 +82,7 @@ module API
# GET /projects/:id/issues?milestone=1.0.0&state=closed
# GET /issues?iid=42
get ":id/issues" do
- issues = user_project.issues
+ issues = user_project.issues.visible_to_user(current_user)
issues = filter_issues_state(issues, params[:state]) unless params[:state].nil?
issues = filter_issues_labels(issues, params[:labels]) unless params[:labels].nil?
issues = filter_by_iid(issues, params[:iid]) unless params[:iid].nil?
@@ -104,6 +104,7 @@ module API
# GET /projects/:id/issues/:issue_id
get ":id/issues/:issue_id" do
@issue = user_project.issues.find(params[:issue_id])
+ not_found! unless can?(current_user, :read_issue, @issue)
present @issue, with: Entities::Issue
end