diff options
| author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-20 08:27:17 +0000 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-20 08:27:17 +0000 |
| commit | 496184bf315093ee38d40eb94e742bcea834fccd (patch) | |
| tree | cddaaefe38060b749627bcee42117fa02d84bfaf | |
| parent | f73c162835c11a357baf59430fddceb02e22259b (diff) | |
| parent | 4ebdcef3a1f1d140f8c6c5b02e22f3a13df2502e (diff) | |
| download | gitlab-ci-496184bf315093ee38d40eb94e742bcea834fccd.tar.gz | |
Merge branch 'api_security_fix' into 'master'
Only who has manage access can manage project
https://dev.gitlab.org/gitlab/gitlab-ci/issues/205
See merge request !151
| -rw-r--r-- | lib/api/projects.rb | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/lib/api/projects.rb b/lib/api/projects.rb index c60d619..ea10a82 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -38,7 +38,7 @@ module API project = Project.find(params[:id]) not_found! if project.blank? - unauthorized! unless current_user.can_access_project?(project.gitlab_id) + unauthorized! unless current_user.can_manage_project?(project.gitlab_id) project.jobs end @@ -61,7 +61,7 @@ module API project = Project.find(params[:id]) not_found! if project.blank? - unauthorized! unless current_user.can_access_project?(project.gitlab_id) + unauthorized! unless current_user.can_manage_project?(project.gitlab_id) job_params = { @@ -97,7 +97,7 @@ module API job = project.jobs.find(params[:job_id]) not_found! if project.blank? || job.blank? - unauthorized! unless current_user.can_access_project?(project.gitlab_id) + unauthorized! unless current_user.can_manage_project?(project.gitlab_id) job.destroy end @@ -193,7 +193,7 @@ module API put ":id" do project = Project.find(params[:id]) - if project.present? && current_user.can_access_project?(project.gitlab_id) + if project.present? && current_user.can_manage_project?(project.gitlab_id) attrs = attributes_for_keys [:name, :gitlab_id, :gitlab_url, :default_ref, :ssh_url_to_repo] if project.update_attributes(attrs) @@ -216,7 +216,7 @@ module API delete ":id" do project = Project.find(params[:id]) - if project.present? && current_user.can_access_project?(project.gitlab_id) + if project.present? && current_user.can_manage_project?(project.gitlab_id) project.destroy else not_found! |