Commit 4ed89992 authored by Douwe Maan's avatar Douwe Maan Committed by Robert Speicher

Check permissions on target project in merge request create service.

parent db4d828e
module MergeRequests module MergeRequests
class CreateService < MergeRequests::BaseService class CreateService < MergeRequests::BaseService
def execute def execute
# @project is used to determine whether the user can set the merge request's
# assignee, milestone and labels. Whether they can depends on their
# permissions on the target project.
source_project = @project
@project = Project.find(params[:target_project_id]) if params[:target_project_id]
filter_params filter_params
label_params = params[:label_ids] label_params = params[:label_ids]
merge_request = MergeRequest.new(params.except(:label_ids)) merge_request = MergeRequest.new(params.except(:label_ids))
merge_request.source_project = project merge_request.source_project = source_project
merge_request.target_project ||= project merge_request.target_project ||= source_project
merge_request.author = current_user merge_request.author = current_user
if merge_request.save if merge_request.save
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment