From 77e508d8fd7a915f5ae221f5e4d6022560398a9e Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Thu, 20 Aug 2015 18:32:32 -0700
Subject: [PATCH] Fix bug where non-project members of the target project could
 set labels on new merge requests.

---
 CHANGELOG                                 | 1 +
 app/views/shared/issuable/_form.html.haml | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 54f83e5aeac..17b063536df 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ v 8.0.0 (unreleased)
   - Allow configuration of import sources for new projects (Artem Sidorenko)
 
 v 7.14.0 (unreleased)
+  - Fix bug where non-project members of the target project could set labels on new merge requests.
   - Update default robots.txt rules to disallow crawling of irrelevant pages (Ben Bodenmiller)
   - Fix redirection after sign in when using auto_sign_in_with_provider
   - Upgrade gitlab_git to 7.2.14 to ignore CRLFs in .gitmodules (Stan Hu)
diff --git a/app/views/shared/issuable/_form.html.haml b/app/views/shared/issuable/_form.html.haml
index 3489bf3f191..f6b09de3839 100644
--- a/app/views/shared/issuable/_form.html.haml
+++ b/app/views/shared/issuable/_form.html.haml
@@ -38,7 +38,7 @@
       .clearfix
       .error-alert
   %hr
-- if can?(current_user, :"admin_#{issuable.to_ability_name}", @project)
+- if can?(current_user, :"admin_#{issuable.to_ability_name}", issuable.project)
   .form-group
     .issue-assignee
       = f.label :assignee_id, class: 'control-label' do
-- 
GitLab