diff options
| author | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:39:36 +0200 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:40:39 +0200 |
| commit | abc06c25319cadc9d0618c17a2a5539d10ce1b38 (patch) | |
| tree | 45fc68e910f37a0ff9f6bf37ea6da9960e653474 /app/controllers/search_controller.rb | |
| parent | 1f813024bacc8ea6ac066c9707aeb414fade0e0a (diff) | |
| download | gitlab-ce-abc06c25319cadc9d0618c17a2a5539d10ce1b38.tar.gz | |
Don't leak existence of group or project via search.
Diffstat (limited to 'app/controllers/search_controller.rb')
| -rw-r--r-- | app/controllers/search_controller.rb | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 16a5ee2ae35..c5828d0b2df 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -3,15 +3,22 @@ class SearchController < ApplicationController def show return if params[:search].nil? || params[:search].blank? - @project = Project.find_by(id: params[:project_id]) if params[:project_id].present? - @group = Group.find_by(id: params[:group_id]) if params[:group_id].present? + + if params[:project_id].present? + @project = Project.find_by(id: params[:project_id]) + @project = nil unless can?(current_user, :download_code, @project) + end + + if params[:group_id].present? + @group = Group.find_by(id: params[:group_id]) + @group = nil unless can?(current_user, :read_group, @group) + end + @scope = params[:scope] @show_snippets = params[:snippets].eql? 'true' @search_results = if @project - return access_denied! unless can?(current_user, :download_code, @project) - unless %w(blobs notes issues merge_requests wiki_blobs). include?(@scope) @scope = 'blobs' |