From f2e3868124c1b0acef4eb57ffc42577b74fab334 Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Mon, 18 Apr 2016 10:56:10 +0200 Subject: Check permissions when sharing project with group Closes #15330 --- app/controllers/projects/group_links_controller.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 4159e53bfa9..92113b9dd87 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -7,10 +7,16 @@ class Projects::GroupLinksController < Projects::ApplicationController end def create - link = project.project_group_links.new - link.group_id = params[:link_group_id] - link.group_access = params[:link_group_access] - link.save + group = Group.find(params[:link_group_id]) + + if can?(current_user, :read_group, group) + link = project.project_group_links.new + link.group_id = params[:link_group_id] + link.group_access = params[:link_group_access] + link.save + else + return render_404 + end redirect_to namespace_project_group_links_path(project.namespace, project) end -- cgit v1.2.1 From d177abb32b0b31ec27c51d0eb42e1ea131d64a03 Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Mon, 18 Apr 2016 11:17:55 +0200 Subject: Refactor method that shares project with a group --- app/controllers/projects/group_links_controller.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 92113b9dd87..cd0f081cd7d 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -10,10 +10,9 @@ class Projects::GroupLinksController < Projects::ApplicationController group = Group.find(params[:link_group_id]) if can?(current_user, :read_group, group) - link = project.project_group_links.new - link.group_id = params[:link_group_id] - link.group_access = params[:link_group_access] - link.save + project.project_group_links.create( + group: group, group_access: params[:link_group_access] + ) else return render_404 end -- cgit v1.2.1 From 66b6d82a3e2f3ea32cdd534f8bcbba8ed515ce2d Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Mon, 18 Apr 2016 12:00:47 +0200 Subject: Use guard clause to check ability to share project --- app/controllers/projects/group_links_controller.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index cd0f081cd7d..606552fa853 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -8,14 +8,11 @@ class Projects::GroupLinksController < Projects::ApplicationController def create group = Group.find(params[:link_group_id]) + return render_404 unless can?(current_user, :read_group, group) - if can?(current_user, :read_group, group) - project.project_group_links.create( - group: group, group_access: params[:link_group_access] - ) - else - return render_404 - end + project.project_group_links.create( + group: group, group_access: params[:link_group_access] + ) redirect_to namespace_project_group_links_path(project.namespace, project) end -- cgit v1.2.1