diff options
author | Robert Speicher <robert@gitlab.com> | 2016-04-26 00:37:01 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2016-04-26 00:37:01 +0000 |
commit | 29a23a4478d03e2cf70b09234c34e0f9dab2b4a9 (patch) | |
tree | 39b0589cb33d228d345a94e7c8647941591c38ec /lib | |
parent | 8cc20f92e9f81d78a343767a9f5bc913aa9aa125 (diff) | |
parent | 97bd349146bfb3acef77ec413cd0def552d00472 (diff) | |
download | gitlab-ce-29a23a4478d03e2cf70b09234c34e0f9dab2b4a9.tar.gz |
Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'
Prevent information disclosure via milestone API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579
See merge request !1961
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/milestones.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb index 84b4d4cdd6d..132043cf3f7 100644 --- a/lib/api/milestones.rb +++ b/lib/api/milestones.rb @@ -105,7 +105,15 @@ module API authorize! :read_milestone, user_project @milestone = user_project.milestones.find(params[:milestone_id]) - present paginate(@milestone.issues), with: Entities::Issue, current_user: current_user + + finder_params = { + project_id: user_project.id, + milestone_title: @milestone.title, + state: 'all' + } + + issues = IssuesFinder.new(current_user, finder_params).execute + present paginate(issues), with: Entities::Issue, current_user: current_user end end |