Fix security issues with teams

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-01-25 15:51:45 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-01-25 15:51:45 +0200
commit: 6350b32a3dddf70a28526c4f95c652072411e9c7 (patch)
tree: 96c996a2f63f9fede4c5b2b081fd3acedb1049f5 /app/controllers/teams_controller.rb
parent: 3ddd9f753c0a6a57313ea4860bf7167f98f53cd2 (diff)
download: gitlab-ce-6350b32a3dddf70a28526c4f95c652072411e9c7.tar.gz
1 files changed, 3 insertions, 6 deletions
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
index 828bdeb80ab..e69a092c507 100644
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@@ -4,11 +4,9 @@ class TeamsController < ApplicationController
   before_filter :authorize_manage_user_team!, only: [:edit, :update]
   before_filter :authorize_admin_user_team!, only: [:destroy]
 
-  layout 'user_team', except: [:new, :create]
+  before_filter :user_team, except: [:new, :create]
 
-  def index
-    @teams = current_user.user_teams.order('name ASC')
-  end
+  layout 'user_team', except: [:new, :create]
 
   def show
     user_team
@@ -83,7 +81,6 @@ class TeamsController < ApplicationController
   end
 
   def user_team
-    @team ||= UserTeam.find_by_path(params[:id])
+    @team ||= current_user.authorized_teams.find_by_path(params[:id])
   end
-
 end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-01-25 15:51:45 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-01-25 15:51:45 +0200
commit	6350b32a3dddf70a28526c4f95c652072411e9c7 (patch)
tree	96c996a2f63f9fede4c5b2b081fd3acedb1049f5 /app/controllers/teams_controller.rb
parent	3ddd9f753c0a6a57313ea4860bf7167f98f53cd2 (diff)
download	gitlab-ce-6350b32a3dddf70a28526c4f95c652072411e9c7.tar.gz