From 0bcfe9a0dcf630b166376bf05de966132d6ee45d Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 25 Jun 2015 16:17:48 +0200 Subject: [PATCH] Dont allow set assignee, milestone or labels if user is guest Signed-off-by: Dmitriy Zaporozhets --- app/services/issuable_base_service.rb | 14 ++++++++++++++ app/services/issues/create_service.rb | 1 + app/services/issues/update_service.rb | 1 + app/services/merge_requests/create_service.rb | 1 + app/services/merge_requests/update_service.rb | 1 + 5 files changed, 18 insertions(+) diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb index 1d99223cfe6..cb544eaf89b 100644 --- a/app/services/issuable_base_service.rb +++ b/app/services/issuable_base_service.rb @@ -26,4 +26,18 @@ class IssuableBaseService < BaseService issuable, issuable.project, current_user, branch_type, old_branch, new_branch) end + + def filter_params + unless can?(current_user, :set_milestone, project) + params.delete(:milestone_id) + end + + unless can?(current_user, :set_label, project) + params.delete(:label_ids) + end + + unless can?(current_user, :set_assignee, project) + params.delete(:assignee_id) + end + end end diff --git a/app/services/issues/create_service.rb b/app/services/issues/create_service.rb index d5c17906a55..1ea4b72216c 100644 --- a/app/services/issues/create_service.rb +++ b/app/services/issues/create_service.rb @@ -1,6 +1,7 @@ module Issues class CreateService < Issues::BaseService def execute + filter_params label_params = params[:label_ids] issue = project.issues.new(params.except(:label_ids)) issue.author = current_user diff --git a/app/services/issues/update_service.rb b/app/services/issues/update_service.rb index 6af942a5ca4..3220facaf7c 100644 --- a/app/services/issues/update_service.rb +++ b/app/services/issues/update_service.rb @@ -17,6 +17,7 @@ module Issues params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE + filter_params old_labels = issue.labels.to_a if params.present? && issue.update_attributes(params.except(:state_event, diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb index ca8d80f6c0c..f431c5d5534 100644 --- a/app/services/merge_requests/create_service.rb +++ b/app/services/merge_requests/create_service.rb @@ -1,6 +1,7 @@ module MergeRequests class CreateService < MergeRequests::BaseService def execute + filter_params label_params = params[:label_ids] merge_request = MergeRequest.new(params.except(:label_ids)) merge_request.source_project = project diff --git a/app/services/merge_requests/update_service.rb b/app/services/merge_requests/update_service.rb index 4f6c6cba9a9..f6570f52241 100644 --- a/app/services/merge_requests/update_service.rb +++ b/app/services/merge_requests/update_service.rb @@ -27,6 +27,7 @@ module MergeRequests params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE + filter_params old_labels = merge_request.labels.to_a if params.present? && merge_request.update_attributes(