Many endpoints use `project.{issues,merge_request}.{where,find}` without checking current user access to that feature
All of these should be using the {Issues,MergeRequest}Finder instead of project.{issues,merge_request}. Also prefer the finder over an explicit can?(current_user, :read_{issue,merge_request}, issuable) check, instead of in the IssuesController or MergeRequestController that have a before_action :authorize_read_{issue,merge_request}!
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/branches_controller.rb#L39
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/services/merge_requests/build_service.rb#L68
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/finders/notes_finder.rb#L15
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/finders/notes_finder.rb#L17
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/models/cycle_analytics/summary.rb#L9
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/views/layouts/nav/_project.html.haml#L73
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/views/layouts/nav/_project.html.haml#L80
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/concerns/creates_commit.rb#L84
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/commits_controller.rb#L24
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/compare_controller.rb#L56
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/discussions_controller.rb#L29
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/todos_controller.rb#L19
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/projects/todos_controller.rb#L27
- http://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/models/commit.rb#L268
Added in the MR
- app/models/concerns/milestoneish.rb:27
- app/models/note.rb:121
- lib/api/issues.rb:112 -> Discloses issuses which should be visible to
Only team members - lib/api/helpers.rb:126
- lib/gitlab/search_results.rb:53
- see MR for more
/cc @felipe_artur