From 21a05328ffd5cb9130ae516faa7dd672cacba90c Mon Sep 17 00:00:00 2001
From: Valery Sizov <vsv2711@gmail.com>
Date: Thu, 3 Mar 2016 15:19:27 +0200
Subject: [PATCH] Security: Fix issue auto closing

---
 app/services/git_push_service.rb                  | 4 +++-
 app/services/merge_requests/post_merge_service.rb | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/services/git_push_service.rb b/app/services/git_push_service.rb
index 9ba200f7bde..b50a7a4217c 100644
--- a/app/services/git_push_service.rb
+++ b/app/services/git_push_service.rb
@@ -96,7 +96,9 @@ class GitPushService < BaseService
         # a different branch.
         closed_issues = commit.closes_issues(current_user)
         closed_issues.each do |issue|
-          Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit)
+          if can?(current_user, :update_issue, issue)
+            Issues::CloseService.new(project, authors[commit], {}).execute(issue, commit)
+          end
         end
       end
 
diff --git a/app/services/merge_requests/post_merge_service.rb b/app/services/merge_requests/post_merge_service.rb
index 8f25c5e2496..ebb67c7db65 100644
--- a/app/services/merge_requests/post_merge_service.rb
+++ b/app/services/merge_requests/post_merge_service.rb
@@ -21,7 +21,9 @@ module MergeRequests
 
       closed_issues = merge_request.closes_issues(current_user)
       closed_issues.each do |issue|
-        Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request)
+        if can?(current_user, :update_issue, issue)
+          Issues::CloseService.new(project, current_user, {}).execute(issue, merge_request)
+        end
       end
     end