Check permissions on target project in merge request create service.

4ed89992 · Douwe Maan · Robert Speicher · db4d828e · 4ed89992
Commit 4ed89992 authored Aug 21, 2015 by Douwe Maan Committed by Robert Speicher Aug 21, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

app/services/merge_requests/create_service.rb app/services/merge_requests/create_service.rb +8 -2

No files found.
--- a/app/services/merge_requests/create_service.rb
+++ b/app/services/merge_requests/create_service.rb
 module MergeRequests
  class CreateService < MergeRequests::BaseService
    def execute
+      # @project is used to determine whether the user can set the merge request's
+      # assignee, milestone and labels. Whether they can depends on their 
+      # permissions on the target project.
+      source_project = @project
+      @project = Project.find(params[:target_project_id]) if params[:target_project_id]
      filter_params
      label_params = params[:label_ids]
      merge_request = MergeRequest.new(params.except(:label_ids))
-      merge_request.source_project = project
+      merge_request.source_project = source_project
-      merge_request.target_project ||= project
+      merge_request.target_project ||= source_project
      merge_request.author = current_user
      if merge_request.save