From d145f09cd675fa46a6cc20fac8304f02d2d14656 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Mon, 30 Jun 2014 11:38:03 +0200
Subject: Correct authorization for group milestones.

---
 app/controllers/groups/milestones_controller.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'app/controllers/groups/milestones_controller.rb')

diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb
index c4b87308e8b..281b2f0c90a 100644
--- a/app/controllers/groups/milestones_controller.rb
+++ b/app/controllers/groups/milestones_controller.rb
@@ -1,6 +1,8 @@
 class Groups::MilestonesController < ApplicationController
   layout 'group'
 
+  before_filter :authorize_group_milestone!, only: :update
+
   def index
     project_milestones = Milestone.where(project_id: group.projects)
     @group_milestones = Milestones::GroupService.new(project_milestones).execute
@@ -47,4 +49,8 @@ class Groups::MilestonesController < ApplicationController
   def status(state)
     @group_milestones.map{ |milestone| next if milestone.state != state; milestone }.compact
   end
+
+  def authorize_group_milestone!
+    return render_404 unless can?(current_user, :manage_group, group)
+  end
 end
-- 
cgit v1.2.1