diff options
| author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:19:41 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:19:41 +0000 |
| commit | a738d03187624132ec1041e41cfda09401a5ffa4 (patch) | |
| tree | de3a9f3fdb5d69b94965ef6efe1327d969c2da13 /lib | |
| parent | 361151f1d7c62ac5371605de4a6b8b3e3a7ae3ad (diff) | |
| parent | d2c83f40498fc76388779cd3f42f9c6ea6fed555 (diff) | |
| download | gitlab-ce-a738d03187624132ec1041e41cfda09401a5ffa4.tar.gz | |
Merge branch 'security-add-public-internal-groups-as-members-to-your-project-idor-11-8' into '11-8-stable'
Add public/internal groups as members to your Project(IDOR)
See merge request gitlab/gitlabhq!2962
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/projects.rb | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 6a93ef9f3ad..a7b4dc06832 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -436,27 +436,24 @@ module API end params do requires :group_id, type: Integer, desc: 'The ID of a group' - requires :group_access, type: Integer, values: Gitlab::Access.values, desc: 'The group access level' + requires :group_access, type: Integer, values: Gitlab::Access.values, as: :link_group_access, desc: 'The group access level' optional :expires_at, type: Date, desc: 'Share expiration date' end post ":id/share" do authorize! :admin_project, user_project group = Group.find_by_id(params[:group_id]) - unless group && can?(current_user, :read_group, group) - not_found!('Group') - end - unless user_project.allowed_to_share_with_group? break render_api_error!("The project sharing with group is disabled", 400) end - link = user_project.project_group_links.new(declared_params(include_missing: false)) + result = ::Projects::GroupLinks::CreateService.new(user_project, current_user, declared_params(include_missing: false)) + .execute(group) - if link.save - present link, with: Entities::ProjectGroupLink + if result[:status] == :success + present result[:link], with: Entities::ProjectGroupLink else - render_api_error!(link.errors.full_messages.first, 409) + render_api_error!(result[:message], result[:http_status]) end end |