91f43587a8
Prevent private group disclosure via parent_id See merge request !2077
34 lines
820 B
Ruby
34 lines
820 B
Ruby
module Groups
|
|
class UpdateService < Groups::BaseService
|
|
def execute
|
|
reject_parent_id!
|
|
|
|
# check that user is allowed to set specified visibility_level
|
|
new_visibility = params[:visibility_level]
|
|
if new_visibility && new_visibility.to_i != group.visibility_level
|
|
unless can?(current_user, :change_visibility_level, group) &&
|
|
Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
|
|
|
|
deny_visibility_level(group, new_visibility)
|
|
return group
|
|
end
|
|
end
|
|
|
|
group.assign_attributes(params)
|
|
|
|
begin
|
|
group.save
|
|
rescue Gitlab::UpdatePathError => e
|
|
group.errors.add(:base, e.message)
|
|
|
|
false
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def reject_parent_id!
|
|
params.except!(:parent_id)
|
|
end
|
|
end
|
|
end
|