diff options
author | Chantal Rollison <crollison@gitlab.com> | 2018-11-06 08:05:25 -0800 |
---|---|---|
committer | Chantal Rollison <crollison@gitlab.com> | 2018-11-07 07:16:11 -0800 |
commit | 94a4ea0538d0756decfdfefab15963ad30642630 (patch) | |
tree | d37f654e561b3b59ecafed7866ef5f776b38193e | |
parent | 1c315f4c26ee0d682dd232c077a1bf38a7634b70 (diff) | |
download | gitlab-ce-94a4ea0538d0756decfdfefab15963ad30642630.tar.gz |
Fixed read name of private groups
-rw-r--r-- | app/controllers/dashboard/todos_controller.rb | 10 | ||||
-rw-r--r-- | changelogs/unreleased/security-private-group-11-5.yml | 6 | ||||
-rw-r--r-- | spec/controllers/dashboard/todos_controller_spec.rb | 10 |
3 files changed, 26 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index bd7111e28bc..d674438c26d 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -2,6 +2,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController include ActionView::Helpers::NumberHelper before_action :authorize_read_project!, only: :index + before_action :authorize_read_group!, only: :index before_action :find_todos, only: [:index, :destroy_all] def index @@ -58,6 +59,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController end end + def authorize_read_group! + group_id = params[:group_id] + + if group_id.present? + group = Group.find(group_id) + render_404 unless can?(current_user, :read_group, group) + end + end + def find_todos @todos ||= TodosFinder.new(current_user, todo_params).execute end diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml new file mode 100644 index 00000000000..dbb7794dfed --- /dev/null +++ b/changelogs/unreleased/security-private-group-11-5.yml @@ -0,0 +1,6 @@ +--- +title: Removed ability to see private group names when the group id is entered in + the url. +merge_request: +author: +type: security diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index b4a731fd3a3..e2c799f5205 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -42,6 +42,16 @@ describe Dashboard::TodosController do end end + context 'group authorization' do + it 'renders 404 when user does not have read access on given group' do + unauthorized_group = create(:group, :private) + + get :index, group_id: unauthorized_group.id + + expect(response).to have_gitlab_http_status(404) + end + end + context 'when using pagination' do let(:last_page) { user.todos.page.total_pages } let!(:issues) { create_list(:issue, 3, project: project, assignees: [user]) } |