# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-11-18 18:37:47
# Node ID 4ded942f36ce7613d654747feb9a8adbab8a1201
# Parent  8a477b72d1601e03c7b0498255935426cc94e61c

pull-requests: security, check for permissions on exposure of repo-refs

diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py
--- a/rhodecode/apps/repository/views/repo_pull_requests.py
+++ b/rhodecode/apps/repository/views/repo_pull_requests.py
@@ -679,6 +679,13 @@ class RepoPullRequestsView(RepoAppView, 
         repo = Repository.get_by_repo_name(target_repo_name)
         if not repo:
             raise HTTPNotFound()
+
+        target_perm = HasRepoPermissionAny(
+            'repository.read', 'repository.write', 'repository.admin')(
+            target_repo_name)
+        if not target_perm:
+            raise HTTPNotFound()
+
         return PullRequestModel().generate_repo_data(
             repo, translator=self.request.translate)