From 276147c1f6c54ae87941953ec62d0d674c12f462 Mon Sep 17 00:00:00 2001
From: Patrick Bajao <ebajao@gitlab.com>
Date: Fri, 25 Jan 2019 15:44:50 +0800
Subject: Respond with 403 when non-member requests for private MRs

---
 lib/api/commits.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lib/api/commits.rb')

diff --git a/lib/api/commits.rb b/lib/api/commits.rb
index 9d23daafe95..41cb3e17af8 100644
--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -318,6 +318,8 @@ module API
         use :pagination
       end
       get ':id/repository/commits/:sha/merge_requests', requirements: API::COMMIT_ENDPOINT_REQUIREMENTS do
+        authorize! :read_merge_request, user_project
+
         commit = user_project.commit(params[:sha])
         not_found! 'Commit' unless commit
 
-- 
cgit v1.2.1