kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Dont allow set assignee, milestone or labels if user is guest

Browse source 
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets 2015-06-25 16:17:48 +02:00
parent 5ff870a044
commit 0bcfe9a0dc
No known key found for this signature in database
GPG key ID: 161B5D6A44D3D88A
5 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
app/services/issuable_base_service.rb
View file

@ -26,4 +26,18 @@ class IssuableBaseService < BaseService
issuable, issuable.project, current_user, branch_type, issuable, issuable.project, current_user, branch_type,
old_branch, new_branch) old_branch, new_branch)
end end
def filter_params
unless can?(current_user, :set_milestone, project)
params.delete(:milestone_id)
end
unless can?(current_user, :set_label, project)
params.delete(:label_ids)
end
unless can?(current_user, :set_assignee, project)
params.delete(:assignee_id)
end
end
end end

1
app/services/issues/create_service.rb
View file

@ -1,6 +1,7 @@
module Issues module Issues
class CreateService < Issues::BaseService class CreateService < Issues::BaseService
def execute def execute
filter_params
label_params = params[:label_ids] label_params = params[:label_ids]
issue = project.issues.new(params.except(:label_ids)) issue = project.issues.new(params.except(:label_ids))
issue.author = current_user issue.author = current_user

1
app/services/issues/update_service.rb
View file

@ -17,6 +17,7 @@ module Issues
params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE
params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
filter_params
old_labels = issue.labels.to_a old_labels = issue.labels.to_a
if params.present? && issue.update_attributes(params.except(:state_event, if params.present? && issue.update_attributes(params.except(:state_event,

1
app/services/merge_requests/create_service.rb
View file

@ -1,6 +1,7 @@
module MergeRequests module MergeRequests
class CreateService < MergeRequests::BaseService class CreateService < MergeRequests::BaseService
def execute def execute
filter_params
label_params = params[:label_ids] label_params = params[:label_ids]
merge_request = MergeRequest.new(params.except(:label_ids)) merge_request = MergeRequest.new(params.except(:label_ids))
merge_request.source_project = project merge_request.source_project = project

1
app/services/merge_requests/update_service.rb
View file

@ -27,6 +27,7 @@ module MergeRequests
params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE params[:assignee_id] = "" if params[:assignee_id] == IssuableFinder::NONE
params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
filter_params
old_labels = merge_request.labels.to_a old_labels = merge_request.labels.to_a
if params.present? && merge_request.update_attributes( if params.present? && merge_request.update_attributes(