# HG changeset patch # User Marcin Lulek # Date 2017-11-18 18:37:47 # Node ID 76c34f087f7f1bf06e5cefaaf86fe2867ecb0c78 # Parent 8a80782a062bc6c74edef642b9089012a4c75be7 pull-requests: security, check for permissions on exposure of repo-refs diff --git a/rhodecode/apps/repository/views/repo_pull_requests.py b/rhodecode/apps/repository/views/repo_pull_requests.py --- a/rhodecode/apps/repository/views/repo_pull_requests.py +++ b/rhodecode/apps/repository/views/repo_pull_requests.py @@ -681,6 +681,13 @@ class RepoPullRequestsView(RepoAppView, repo = Repository.get_by_repo_name(target_repo_name) if not repo: raise HTTPNotFound() + + target_perm = HasRepoPermissionAny( + 'repository.read', 'repository.write', 'repository.admin')( + target_repo_name) + if not target_perm: + raise HTTPNotFound() + return PullRequestModel().generate_repo_data( repo, translator=self.request.translate)