Merge branch 'security-commit-private-related-mr' into 'master'

Don't allow non-members to see private related MRs Closes #2787 See merge request gitlab/gitlabhq!2866
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 18:37:10 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-03-04 18:37:10 +0000
commit: 6683298fe6d85bb0785906723663482798418907 (patch)
tree: fafecb6b03174e521879d21f81d8bf39120c51c5 /lib
parent: a43fd6acb697edc897e930dee7c636e4d714565e (diff)
parent: 325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff)
download: gitlab-ce-6683298fe6d85bb0785906723663482798418907.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 8defc59224d..d0a9debda5b 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -318,10 +318,18 @@ module API
         use :pagination
       end
       get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
+        authorize! :read_merge_request, user_project
+
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
 
-        present paginate(commit.merge_requests), with: Entities::MergeRequestBasic
+        commit_merge_requests = MergeRequestsFinder.new(
+          current_user,
+          project_id: user_project.id,
+          commit_sha: commit.sha
+        ).execute
+
+        present paginate(commit_merge_requests), with: Entities::MergeRequestBasic
       end
 
       desc "Get a commit's GPG signature" do
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 18:37:10 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-03-04 18:37:10 +0000
commit	6683298fe6d85bb0785906723663482798418907 (patch)
tree	fafecb6b03174e521879d21f81d8bf39120c51c5 /lib
parent	a43fd6acb697edc897e930dee7c636e4d714565e (diff)
parent	325527e6ca7635aeeea8e0beb7523c3892e21bf6 (diff)
download	gitlab-ce-6683298fe6d85bb0785906723663482798418907.tar.gz