Commit b3d75ac5 authored by Phil Hughes's avatar Phil Hughes

Return 403 if user can't update group

parent e477ad44
...@@ -21,6 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController ...@@ -21,6 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController
def update def update
@group_link = @project.project_group_links.find(params[:id]) @group_link = @project.project_group_links.find(params[:id])
return render_403 unless can?(current_user, action_member_permission(:admin, @group_link.group), @group_link.group)
@group_link.update_attributes(group_link_params) @group_link.update_attributes(group_link_params)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment