diff options
| author | Steve Azzopardi <sazzopardi@gitlab.com> | 2018-11-23 14:23:21 +0000 |
|---|---|---|
| committer | Steve Azzopardi <sazzopardi@gitlab.com> | 2018-11-23 14:23:21 +0000 |
| commit | 56417b96e097901c044b4e4655385de1d2e4e506 (patch) | |
| tree | 771397ec7840a5c212ab53992457507498c6961b | |
| parent | d88c471071e47fc0b3995056821c81d59a0de76b (diff) | |
| parent | 94a4ea0538d0756decfdfefab15963ad30642630 (diff) | |
| download | gitlab-ce-56417b96e097901c044b4e4655385de1d2e4e506.tar.gz | |
Merge branch 'security-private-group-11-3' into 'security-11-3'
[11.3] Fixed read name of private groups
See merge request gitlab/gitlabhq!2592
| -rw-r--r-- | app/controllers/dashboard/todos_controller.rb | 10 | ||||
| -rw-r--r-- | changelogs/unreleased/security-private-group-11-5.yml | 6 | ||||
| -rw-r--r-- | spec/controllers/dashboard/todos_controller_spec.rb | 10 |
3 files changed, 26 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index bd7111e28bc..d674438c26d 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -2,6 +2,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController include ActionView::Helpers::NumberHelper before_action :authorize_read_project!, only: :index + before_action :authorize_read_group!, only: :index before_action :find_todos, only: [:index, :destroy_all] def index @@ -58,6 +59,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController end end + def authorize_read_group! + group_id = params[:group_id] + + if group_id.present? + group = Group.find(group_id) + render_404 unless can?(current_user, :read_group, group) + end + end + def find_todos @todos ||= TodosFinder.new(current_user, todo_params).execute end diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml new file mode 100644 index 00000000000..dbb7794dfed --- /dev/null +++ b/changelogs/unreleased/security-private-group-11-5.yml @@ -0,0 +1,6 @@ +--- +title: Removed ability to see private group names when the group id is entered in + the url. +merge_request: +author: +type: security diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index b4a731fd3a3..e2c799f5205 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -42,6 +42,16 @@ describe Dashboard::TodosController do end end + context 'group authorization' do + it 'renders 404 when user does not have read access on given group' do + unauthorized_group = create(:group, :private) + + get :index, group_id: unauthorized_group.id + + expect(response).to have_gitlab_http_status(404) + end + end + context 'when using pagination' do let(:last_page) { user.todos.page.total_pages } let!(:issues) { create_list(:issue, 3, project: project, assignees: [user]) } |