diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:54 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 12:01:54 +0000 |
commit | 70911c7c43f5bc804156c701b3a4ba9b992548b3 (patch) | |
tree | 42cd262a2eb0693c98e206c03fbe301251f6cdf1 /lib | |
parent | 1c029e63564daacfc77488968b5f8b9e3ef5470a (diff) | |
parent | 644d125b9adeb20c0a7dfcd3dee2db7b7c1b6f2e (diff) | |
download | gitlab-ce-70911c7c43f5bc804156c701b3a4ba9b992548b3.tar.gz |
Merge branch 'security-28802-respect-fork-parent-visibility-12-5' into '12-5-stable'
Check permissions before showing a forked project's source
See merge request gitlab/gitlabhq!3555
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 9617f1a8acf..32a0fb9dd60 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -283,7 +283,9 @@ module API expose :shared_runners_enabled expose :lfs_enabled?, as: :lfs_enabled expose :creator_id - expose :forked_from_project, using: Entities::BasicProjectDetails, if: lambda { |project, options| project.forked? } + expose :forked_from_project, using: Entities::BasicProjectDetails, if: ->(project, options) do + project.forked? && Ability.allowed?(options[:current_user], :read_project, project.forked_from_project) + end expose :import_status expose :import_error, if: lambda { |_project, options| options[:user_can_admin_project] } do |project| |