diff options
| author | Winnie Hellmann <winnie@gitlab.com> | 2017-12-11 12:07:57 +0000 |
|---|---|---|
| committer | LUKE BENNETT <lbennett@gitlab.com> | 2017-12-13 13:51:54 +0000 |
| commit | 5d076319c68543d1428b4c8b6f64edec6d272e02 (patch) | |
| tree | 509806408d9b7273efdb483f570fa76126f7e045 /lib | |
| parent | 0f68a4666ceb328c001fe86a529faee3566f417c (diff) | |
| download | gitlab-ce-5d076319c68543d1428b4c8b6f64edec6d272e02.tar.gz | |
Merge branch 'mk-pick-10-2-4-security-fixes' into 'master'
Pick 10.2.4 security fixes into master
See merge request gitlab-org/gitlab-ce!15821
(cherry picked from commit 1eff1bd385a28ccde7d0dc3a991c499ada1a63bd)
d332c8c7 Merge branch '36679-non-authorized-user-may-see-wikis-or-pipeline-page' into 'security-10-2'
8c0aa7d4 Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'
8f29d264 Merge branch 'rs-security-group-api' into 'security-10-2'
c59ae547 Merge branch 'issue_30663' into 'security-10-2'
f4fbe61a Merge branch 'note-preview' into 'security-10-2'
0f811675 Manually add 10.2.4 changelog entries
f71e48a0 Resolve conflicts in app/models/user.rb
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/entities.rb | 17 | ||||
| -rw-r--r-- | lib/api/issues.rb | 2 |
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index d96e7f2770f..928706dfda7 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -248,8 +248,21 @@ module API end class GroupDetail < Group - expose :projects, using: Entities::Project - expose :shared_projects, using: Entities::Project + expose :projects, using: Entities::Project do |group, options| + GroupProjectsFinder.new( + group: group, + current_user: options[:current_user], + options: { only_owned: true } + ).execute + end + + expose :shared_projects, using: Entities::Project do |group, options| + GroupProjectsFinder.new( + group: group, + current_user: options[:current_user], + options: { only_shared: true } + ).execute + end end class Commit < Grape::Entity diff --git a/lib/api/issues.rb b/lib/api/issues.rb index e60e00d7956..5f943ba27d1 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -161,6 +161,8 @@ module API use :issue_params end post ':id/issues' do + authorize! :create_issue, user_project + # Setting created_at time only allowed for admins and project owners unless current_user.admin? || user_project.owner == current_user params.delete(:created_at) |