summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-06-06 08:59:06 +0000
committerTomasz Maczukin <tomasz@maczukin.pl>2016-06-14 22:25:10 +0200
commit6a5139276352d7fcb10dc9a3a0f89d676799e894 (patch)
tree7178496c1cd8a8b68286cfeaf6cb91037966095a /app
parent767d3223fc9ce1513274ce6fc3ab7eb3d7c7349c (diff)
downloadgitlab-ce-6a5139276352d7fcb10dc9a3a0f89d676799e894.tar.gz
Merge branch 'fix/unauthorized-access-to-build-data' into 'master'
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
Diffstat (limited to 'app')
-rw-r--r--app/controllers/projects/artifacts_controller.rb2
-rw-r--r--app/controllers/projects/builds_controller.rb2
2 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/projects/artifacts_controller.rb b/app/controllers/projects/artifacts_controller.rb
index cfea1266516..832d7deb57d 100644
--- a/app/controllers/projects/artifacts_controller.rb
+++ b/app/controllers/projects/artifacts_controller.rb
@@ -37,7 +37,7 @@ class Projects::ArtifactsController < Projects::ApplicationController
private
def build
- @build ||= project.builds.unscoped.find_by!(id: params[:build_id])
+ @build ||= project.builds.find_by!(id: params[:build_id])
end
def artifacts_file
diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb
index bb1f6c5e980..db3ae586059 100644
--- a/app/controllers/projects/builds_controller.rb
+++ b/app/controllers/projects/builds_controller.rb
@@ -81,7 +81,7 @@ class Projects::BuildsController < Projects::ApplicationController
private
def build
- @build ||= project.builds.unscoped.find_by!(id: params[:id])
+ @build ||= project.builds.find_by!(id: params[:id])
end
def build_path(build)
View Lorry Controller Status