Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-01 07:28:22 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-01 07:28:28 +0000
commit: 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch)
tree: 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /lib
parent: de222caa576cab3d0894c65531f5822f205877d5 (diff)
download: gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz
2 files changed, 12 insertions, 0 deletions
diff --git a/lib/api/helpers/members_helpers.rb b/lib/api/helpers/members_helpers.rb
index c91e153c7b9..6a3cf5c87ae 100644
--- a/lib/api/helpers/members_helpers.rb
+++ b/lib/api/helpers/members_helpers.rb
@@ -15,6 +15,10 @@ module API
         public_send("find_#{source_type}!", id) # rubocop:disable GitlabSecurity/PublicSend
       end
 
+      def authorize_read_source_member!(source_type, source)
+        authorize! :"read_#{source_type}_member", source
+      end
+
       def authorize_admin_source!(source_type, source)
         authorize! :"admin_#{source_type}", source
       end
diff --git a/lib/api/members.rb b/lib/api/members.rb
index e2045c6def7..b94f68f60b5 100644
--- a/lib/api/members.rb
+++ b/lib/api/members.rb
@@ -32,6 +32,8 @@ module API
         get ":id/members", feature_category: feature_category do
           source = find_source(source_type, params[:id])
 
+          authorize_read_source_member!(source_type, source)
+
           members = paginate(retrieve_members(source, params: params))
 
           present_members members
@@ -51,6 +53,8 @@ module API
         get ":id/members/all", feature_category: feature_category do
           source = find_source(source_type, params[:id])
 
+          authorize_read_source_member!(source_type, source)
+
           members = paginate(retrieve_members(source, params: params, deep: true))
 
           present_members members
@@ -66,6 +70,8 @@ module API
         get ":id/members/:user_id", feature_category: feature_category do
           source = find_source(source_type, params[:id])
 
+          authorize_read_source_member!(source_type, source)
+
           members = source_members(source)
           member = members.find_by!(user_id: params[:user_id])
 
@@ -83,6 +89,8 @@ module API
         get ":id/members/all/:user_id", feature_category: feature_category do
           source = find_source(source_type, params[:id])
 
+          authorize_read_source_member!(source_type, source)
+
           members = find_all_members(source)
           member = members.find_by!(user_id: params[:user_id])
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-01 07:28:22 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-01 07:28:28 +0000
commit	37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch)
tree	99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /lib
parent	de222caa576cab3d0894c65531f5822f205877d5 (diff)
download	gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz