Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id See merge request !2077
author: Sean McGivern <sean@gitlab.com> 2017-03-28 11:09:44 +0000
committer: DJ Mountney <david@twkie.net> 2017-03-29 19:18:38 -0700
commit: 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree: dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/finders
parent: 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)
download: gitlab-ce-91f43587a8c05a5c2955f0b5c464f03688552cb6.tar.gz
1 files changed, 17 insertions, 0 deletions
diff --git a/app/finders/group_finder.rb b/app/finders/group_finder.rb
new file mode 100644
index 00000000000..24c84d2d1aa
--- /dev/null
+++ b/app/finders/group_finder.rb
@@ -0,0 +1,17 @@
+class GroupFinder
+  include Gitlab::Allowable
+
+  def initialize(current_user)
+    @current_user = current_user
+  end
+
+  def execute(*params)
+    group = Group.find_by(*params)
+
+    if can?(@current_user, :read_group, group)
+      group
+    else
+      nil
+    end
+  end
+end
author	Sean McGivern <sean@gitlab.com>	2017-03-28 11:09:44 +0000
committer	DJ Mountney <david@twkie.net>	2017-03-29 19:18:38 -0700
commit	91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree	dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/finders
parent	60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)
download	gitlab-ce-91f43587a8c05a5c2955f0b5c464f03688552cb6.tar.gz