diff options
author | Sean McGivern <sean@gitlab.com> | 2017-06-13 17:14:50 +0000 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-07-19 15:42:45 +0100 |
commit | 3f6793c3304d873e1ecf0b57f0fbcdd5852c605a (patch) | |
tree | 78bb156b1e9cfed0fbfbcb2e71acbf8d3eff8bb9 | |
parent | bd23c02d412e807962221f7ff73ec831fd466395 (diff) | |
download | gitlab-ce-3f6793c3304d873e1ecf0b57f0fbcdd5852c605a.tar.gz |
Merge branch '33303-9-2-security-fix' into 'security-9-2'
[9.2 security fix] Renders 404 if given project is not readable by the user on Todos dashboard
See merge request !2119
-rw-r--r-- | app/controllers/dashboard/todos_controller.rb | 10 | ||||
-rw-r--r-- | changelogs/unreleased/33303-404-for-unauthorized-project.yml | 4 | ||||
-rw-r--r-- | spec/controllers/dashboard/todos_controller_spec.rb | 30 |
3 files changed, 44 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index 4d7d45787fc..22448c93f0b 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -1,6 +1,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController include ActionView::Helpers::NumberHelper + before_action :authorize_read_project!, only: :index before_action :find_todos, only: [:index, :destroy_all] def index @@ -50,6 +51,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController private + def authorize_read_project! + project_id = params[:project_id] + + if project_id.present? + project = Project.find(project_id) + render_404 unless can?(current_user, :read_project, project) + end + end + def find_todos @todos ||= TodosFinder.new(current_user, params).execute end diff --git a/changelogs/unreleased/33303-404-for-unauthorized-project.yml b/changelogs/unreleased/33303-404-for-unauthorized-project.yml new file mode 100644 index 00000000000..5a5a337129e --- /dev/null +++ b/changelogs/unreleased/33303-404-for-unauthorized-project.yml @@ -0,0 +1,4 @@ +--- +title: Renders 404 if given project is not readable by the user on Todos dashboard +merge_request: +author: diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index 085f3fd8543..4a48621abe1 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -12,6 +12,36 @@ describe Dashboard::TodosController do end describe 'GET #index' do + context 'project authorization' do + it 'renders 404 when user does not have read access on given project' do + unauthorized_project = create(:empty_project, :private) + + get :index, project_id: unauthorized_project.id + + expect(response).to have_http_status(404) + end + + it 'renders 404 when given project does not exists' do + get :index, project_id: 999 + + expect(response).to have_http_status(404) + end + + it 'renders 200 when filtering for "any project" todos' do + get :index, project_id: '' + + expect(response).to have_http_status(200) + end + + it 'renders 200 when user has access on given project' do + authorized_project = create(:empty_project, :public) + + get :index, project_id: authorized_project.id + + expect(response).to have_http_status(200) + end + end + context 'when using pagination' do let(:last_page) { user.todos.page.total_pages } let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) } |