From b3d75ac5135130522f253d4b09f72a7c0a8e2f80 Mon Sep 17 00:00:00 2001
From: Phil Hughes <me@iamphill.com>
Date: Fri, 2 Sep 2016 09:28:25 +0100
Subject: [PATCH] Return 403 if user can't update group

---
 app/controllers/projects/group_links_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 57c54bf625a..b5e314dced3 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -21,6 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController
 
   def update
     @group_link = @project.project_group_links.find(params[:id])
+    return render_403 unless can?(current_user, action_member_permission(:admin, @group_link.group), @group_link.group)
 
     @group_link.update_attributes(group_link_params)
   end
-- 
GitLab