diff options
| author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-05 13:55:15 +0200 |
|---|---|---|
| committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-05 13:55:15 +0200 |
| commit | c52b5c92fbd31dc6f76087c43a94243d382d3172 (patch) | |
| tree | 3fa786904191b132c3d429e7a157c2418f282542 | |
| parent | b248ee93814e8521fa0c73c82ec9ed113698b945 (diff) | |
| download | gitlab-ce-c52b5c92fbd31dc6f76087c43a94243d382d3172.tar.gz | |
Do not leak project exists when importing members
When importing members, and user does not have permissions to read
members in a source project, do not leak information about source
project existence. Notifiy user that project has not been found instead.
| -rw-r--r-- | app/controllers/projects/project_members_controller.rb | 8 | ||||
| -rw-r--r-- | spec/controllers/projects/project_members_controller_spec.rb | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb index cd984f03c6b..fd56dfd1260 100644 --- a/app/controllers/projects/project_members_controller.rb +++ b/app/controllers/projects/project_members_controller.rb @@ -94,13 +94,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController end def apply_import - giver = Project.find(params[:source_project_id]) + source_project = Project.find(params[:source_project_id]) - if current_user.can?(:read_project_member, giver) - status = @project.team.import(giver, current_user) + if can?(current_user, :read_project_member, source_project) + status = @project.team.import(source_project, current_user) notice = status ? "Successfully imported" : "Import failed" else - notice = 'You are not authorized to import members from this project' + notice = 'Import failed - source project not found!' end redirect_to(namespace_project_project_members_path(project.namespace, project), diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb index 6d1df8d9fbe..6ff3d4199f6 100644 --- a/spec/controllers/projects/project_members_controller_spec.rb +++ b/spec/controllers/projects/project_members_controller_spec.rb @@ -41,8 +41,8 @@ describe Projects::ProjectMembersController do expect(project.team_members).to_not include member end - it 'notifies about invalid permissions' do - expect(response).to set_flash.to /not authorized/ + it 'pretends that source projects does not exist' do + expect(response).to set_flash.to /source project not found/ end end end |