From 7403afea9748316b78242ecb250f619fe1a15b36 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Thu, 24 Jan 2013 14:15:14 +0200
Subject: [PATCH] Reject non-owned projects to assign to teams

---
 app/controllers/teams/projects_controller.rb | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/app/controllers/teams/projects_controller.rb b/app/controllers/teams/projects_controller.rb
index 9e9cd9f5f57..f5729351508 100644
--- a/app/controllers/teams/projects_controller.rb
+++ b/app/controllers/teams/projects_controller.rb
@@ -16,13 +16,19 @@ class Teams::ProjectsController < Teams::ApplicationController
   end
 
   def create
-    unless params[:project_ids].blank?
-      project_ids = params[:project_ids]
-      access = params[:greatest_project_access]
-      user_team.assign_to_projects(project_ids, access)
-    end
+    redirect_to :back if params[:project_ids].blank?
+
+    project_ids = params[:project_ids]
+    access = params[:greatest_project_access]
+
+    # Reject non-allowed projects
+    allowed_project_ids = current_user.owned_projects.map(&:id)
+    project_ids.select! { |id| allowed_project_ids.include?(id) }
+
+    # Assign projects to team
+    user_team.assign_to_projects(project_ids, access)
 
-    redirect_to team_projects_path(user_team), notice: 'Team of users was successfully assgned to projects.'
+    redirect_to team_projects_path(user_team), notice: 'Team of users was successfully assigned to projects.'
   end
 
   def edit
-- 
GitLab