From 6e8ea52be6f75c99556ee4615f6213d991969bfd Mon Sep 17 00:00:00 2001
From: Shinya Maeda <shinya@gitlab.com>
Date: Mon, 26 Jun 2017 18:25:08 +0900
Subject: Add functionality and security.

---
 app/controllers/projects/pipeline_schedules_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'app/controllers/projects/pipeline_schedules_controller.rb')

diff --git a/app/controllers/projects/pipeline_schedules_controller.rb b/app/controllers/projects/pipeline_schedules_controller.rb
index 2ee6229cf68..3f395bd9cea 100644
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
   end
 
   def update
+    return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
+
     if Ci::CreatePipelineScheduleService
         .new(@project, current_user, schedule_params).update(schedule)
       redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project)
-- 
cgit v1.2.1