From 414533ca48147120586f531f61f131dbef9d85fc Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 21 Aug 2015 09:47:39 -0700
Subject: [PATCH] Check permissions on target project in merge request create
 service.

---
 app/services/merge_requests/create_service.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/services/merge_requests/create_service.rb b/app/services/merge_requests/create_service.rb
index f431c5d5534..9651b16462c 100644
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
@@ -1,11 +1,17 @@
 module MergeRequests
   class CreateService < MergeRequests::BaseService
     def execute
+      # @project is used to determine whether the user can set the merge request's
+      # assignee, milestone and labels. Whether they can depends on their 
+      # permissions on the target project.
+      source_project = @project
+      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
+
       filter_params
       label_params = params[:label_ids]
       merge_request = MergeRequest.new(params.except(:label_ids))
-      merge_request.source_project = project
-      merge_request.target_project ||= project
+      merge_request.source_project = source_project
+      merge_request.target_project ||= source_project
       merge_request.author = current_user
 
       if merge_request.save