Merge branch '33303-9-1-security-fix' into 'security-9-1'

[9.1 security fix] Renders 404 if given project is not readable by the user on Todos dashboard

See merge request !2120

1 files changed, 30 insertions, 0 deletions

diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb
index 6075259ea99..d8e46dcd9ad 100644
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -14,6 +14,36 @@ describe Dashboard::TodosController do
   end
 
   describe 'GET #index' do
+    context 'project authorization' do
+      it 'renders 404 when user does not have read access on given project' do
+        unauthorized_project = create(:empty_project, :private)
+
+        get :index, project_id: unauthorized_project.id
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'renders 404 when given project does not exists' do
+        get :index, project_id: 999
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'renders 200 when filtering for "any project" todos' do
+        get :index, project_id: ''
+
+        expect(response).to have_http_status(200)
+      end
+
+      it 'renders 200 when user has access on given project' do
+        authorized_project = create(:empty_project, :public)
+
+        get :index, project_id: authorized_project.id
+
+        expect(response).to have_http_status(200)
+      end
+    end
+
     context 'when using pagination' do
       let(:last_page) { user.todos.page.total_pages }
       let!(:issues) { create_list(:issue, 2, project: project, assignee: user) }