From 41b1c0469dba622a1c2c67c17f1f5e491573accf Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 1 Feb 2021 08:59:34 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

---
 app/controllers/projects/releases_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'app/controllers/projects/releases_controller.rb')

diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index a6e795a2b91..614bada09ed 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -5,6 +5,9 @@ class Projects::ReleasesController < Projects::ApplicationController
   before_action :require_non_empty_project, except: [:index]
   before_action :release, only: %i[edit show update downloads]
   before_action :authorize_read_release!
+  # We have to check `download_code` permission because detail URL path
+  # contains git-tag name.
+  before_action :authorize_download_code!, except: [:index]
   before_action do
     push_frontend_feature_flag(:graphql_release_data, project, default_enabled: true)
     push_frontend_feature_flag(:graphql_milestone_stats, project, default_enabled: true)
-- 
cgit v1.2.1