diff options
author | Robert Speicher <rspeicher@gmail.com> | 2015-04-14 16:04:37 -0400 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2015-04-20 13:01:44 -0400 |
commit | a803cd51eb3c5b98b14eeea56ec4cc363823c2c2 (patch) | |
tree | 6193bec52d11c175b81b1fe221577fcec35da7ae /lib | |
parent | 470b0c2508e792e93a9e7db7ba605475edfa2de4 (diff) | |
download | gitlab-ce-a803cd51eb3c5b98b14eeea56ec4cc363823c2c2.tar.gz |
Check for project read permissions in cross-references
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/markdown/cross_project_reference.rb | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/gitlab/markdown/cross_project_reference.rb b/lib/gitlab/markdown/cross_project_reference.rb index 114247d0a33..b2197432caa 100644 --- a/lib/gitlab/markdown/cross_project_reference.rb +++ b/lib/gitlab/markdown/cross_project_reference.rb @@ -8,19 +8,29 @@ module Gitlab # Given a cross-project reference string, get the Project record # - # If no valid reference is given, returns the `:project` value for the - # current context. + # Defaults to value of `context[:project]` if: + # - No reference is given + # - Reference given doesn't exist + # - Reference given can't be read by the current user # # ref - String reference. # # Returns a Project def project_from_ref(ref) if ref && other = Project.find_with_namespace(ref) - other + if user_can_reference_project?(other) + other + else + context[:project] + end else context[:project] end end + + def user_can_reference_project?(project, user = context[:current_user]) + user && Ability.abilities.allowed?(user, :read_project, project) + end end end end |