diff options
author | Robert Speicher <robert@gitlab.com> | 2016-05-11 12:49:29 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2016-05-11 12:49:29 +0000 |
commit | 24f353edc4e90a7846bb6706f6b89e1bb6db7469 (patch) | |
tree | 7dee14d6f545f26de63e740d5194cba1f3249746 /app/controllers | |
parent | d526cda5028c9b55241a6996f32cc6a967e8fcba (diff) | |
parent | acd8930c46c06312f87c5ea0bb549b5435feece8 (diff) | |
download | gitlab-ce-24f353edc4e90a7846bb6706f6b89e1bb6db7469.tar.gz |
Merge branch '17249-starred' into 'master'
Restrict starred projects to viewable ones
`User#starred_projects` doesn't perform any visibility checks. This has
a couple of problems:
1. It assumes a user can always view all of their starred projects in
perpetuity (project not changed to private, access revoked, etc.).
2. It assumes that we'll only ever allow a user to star a project they
can view. This is currently the case, but bugs happen.
Add `User#viewable_starred_projects` to filter the starred projects by
those the user either has explicit access to, or are public or
internal. Then use that in all places where we list the user's starred
projects.
Closes #17249.
See merge request !4108
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/dashboard/projects_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/dashboard_controller.rb | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/dashboard/projects_controller.rb b/app/controllers/dashboard/projects_controller.rb index 71acc244a91..c08eb811532 100644 --- a/app/controllers/dashboard/projects_controller.rb +++ b/app/controllers/dashboard/projects_controller.rb @@ -28,7 +28,7 @@ class Dashboard::ProjectsController < Dashboard::ApplicationController end def starred - @projects = current_user.starred_projects.sorted_by_activity + @projects = current_user.viewable_starred_projects.sorted_by_activity @projects = filter_projects(@projects) @projects = @projects.includes(:namespace, :forked_from_project, :tags) @projects = @projects.sort(@sort = params[:sort]) diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index 1dce4a21729..4dda4e51f6a 100644 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -25,7 +25,7 @@ class DashboardController < Dashboard::ApplicationController def load_events projects = if params[:filter] == "starred" - current_user.starred_projects + current_user.viewable_starred_projects else current_user.authorized_projects end |