Verify user is signed in and can actually resolve conflicts

9eca67c9 · Douwe Maan · Fatih Acet · cf4cbb01 · 9eca67c9 · 9eca67c9
Commit 9eca67c9 authored Aug 10, 2016 by Douwe Maan Committed by Fatih Acet Aug 12, 2016
3 changed files
--- a/app/controllers/projects/merge_requests_controller.rb
+++ b/app/controllers/projects/merge_requests_controller.rb
@@ -28,6 +28,8 @@ class Projects::MergeRequestsController < Projects::ApplicationController
  # Allow modify merge_request
  before_action :authorize_update_merge_request!, only: [:close, :edit, :update, :remove_wip, :sort]

+  before_action :authorize_can_resolve_conflicts!, only: [:conflicts, :resolve_conflicts]
+
  def index
    terms = params['issue_search']
    @merge_requests = merge_requests_collection
@@ -368,6 +370,10 @@ class Projects::MergeRequestsController < Projects::ApplicationController
    return render_404 unless can?(current_user, :admin_merge_request, @merge_request)
  end

+  def authorize_can_resolve_conflicts!
+    return render_404 unless @merge_request.conflicts_can_be_resolved_by?(current_user)
+  end
+
  def module_enabled
    return render_404 unless @project.merge_requests_enabled
  end

--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -720,6 +720,11 @@ class MergeRequest < ActiveRecord::Base
    @conflicts ||= Gitlab::Conflict::FileCollection.new(self)
  end

+  def conflicts_can_be_resolved_by?(user)
+    access = ::Gitlab::UserAccess.new(user, project: source_project)
+    access.can_push_to_branch?(source_branch)
+  end
+
  def conflicts_can_be_resolved_in_ui?
    return @conflicts_can_be_resolved_in_ui if defined?(@conflicts_can_be_resolved_in_ui)


--- a/app/views/projects/merge_requests/widget/open/_conflicts.html.haml
+++ b/app/views/projects/merge_requests/widget/open/_conflicts.html.haml
@@ -4,9 +4,11 @@

 %p
  Please
-  - if @merge_request.conflicts_can_be_resolved_in_ui?
-    = link_to "resolve these conflicts", conflicts_namespace_project_merge_request_path(@project.namespace, @project, @merge_request)
-    or
+  - if @merge_request.conflicts_can_be_resolved_by?(current_user)
+    - if @merge_request.conflicts_can_be_resolved_in_ui?
+      = link_to "resolve these conflicts", conflicts_namespace_project_merge_request_path(@project.namespace, @project, @merge_request)
+      or
+
  - if @merge_request.can_be_merged_via_command_line_by?(current_user)
    #{link_to "merge this request manually", "#modal_merge_info", class: "how_to_merge_link vlink", "data-toggle" => "modal"}.
  - else