BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
5862fd13
Commit
5862fd13
authored
Jun 12, 2017
by
Sean McGivern
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Always check read_issue permissions when loading issue
We never want to skip the check, so that some actions did so was a mistake.
parent
de23d651
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
6 additions
and
9 deletions
+6
-9
issues_controller.rb
app/controllers/projects/issues_controller.rb
+6
-9
No files found.
app/controllers/projects/issues_controller.rb
View file @
5862fd13
...
...
@@ -10,11 +10,7 @@ class Projects::IssuesController < Projects::ApplicationController
before_action
:redirect_to_external_issue_tracker
,
only:
[
:index
,
:new
]
before_action
:module_enabled
before_action
:issue
,
only:
[
:edit
,
:update
,
:show
,
:referenced_merge_requests
,
:related_branches
,
:can_create_branch
,
:realtime_changes
,
:create_merge_request
]
# Allow read any issue
before_action
:authorize_read_issue!
,
only:
[
:show
,
:realtime_changes
]
before_action
:issue
,
except:
[
:index
,
:new
,
:create
,
:bulk_update
]
# Allow write(create) issue
before_action
:authorize_create_issue!
,
only:
[
:new
,
:create
]
...
...
@@ -229,18 +225,19 @@ class Projects::IssuesController < Projects::ApplicationController
protected
def
issue
return
@issue
if
defined?
(
@issue
)
# The Sortable default scope causes performance issues when used with find_by
@noteable
=
@issue
||=
@project
.
issues
.
where
(
iid:
params
[
:id
]).
reorder
(
nil
).
take!
return
render_404
unless
can?
(
current_user
,
:read_issue
,
@issue
)
@issue
end
alias_method
:subscribable_resource
,
:issue
alias_method
:issuable
,
:issue
alias_method
:awardable
,
:issue
alias_method
:spammable
,
:issue
def
authorize_read_issue!
return
render_404
unless
can?
(
current_user
,
:read_issue
,
@issue
)
end
def
authorize_update_issue!
return
render_404
unless
can?
(
current_user
,
:update_issue
,
@issue
)
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment