diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:39:10 +0200 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:40:39 +0200 |
commit | 1f813024bacc8ea6ac066c9707aeb414fade0e0a (patch) | |
tree | e3927b821d62921ac0e9e6623c6a770efe8c0059 | |
parent | 24d139ba971cf61a4b7a01031c4c57bcba29b172 (diff) | |
download | gitlab-ce-1f813024bacc8ea6ac066c9707aeb414fade0e0a.tar.gz |
Don't leak existence of project via search autocomplete.
-rw-r--r-- | CHANGELOG | 2 | ||||
-rw-r--r-- | app/controllers/search_controller.rb | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index 0878c03207b..0a61fee1cb2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) + - Don't leak existence of project via search autocomplete. + - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index a3284c82d3f..16a5ee2ae35 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -35,7 +35,12 @@ class SearchController < ApplicationController def autocomplete term = params[:term] - @project = Project.find(params[:project_id]) if params[:project_id].present? + + if params[:project_id].present? + @project = Project.find_by(id: params[:project_id]) + @project = nil unless can?(current_user, :read_project, @project) + end + @ref = params[:project_ref] if params[:project_ref].present? render json: search_autocomplete_opts(term).to_json |