summaryrefslogtreecommitdiff
path: root/spec/controllers/projects_controller_spec.rb
diff options
context:
space:
mode:
authorKerri Miller <kerrizor@kerrizor.com>2019-09-23 10:55:32 -0700
committerKerri Miller <kerrizor@kerrizor.com>2019-10-09 10:47:45 -0700
commit8395032721f6d6cb26126a5bffcb42984a240c07 (patch)
tree875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/controllers/projects_controller_spec.rb
parent7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff)
downloadgitlab-ce-8395032721f6d6cb26126a5bffcb42984a240c07.tar.gz
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for unrecognized routes (as the name might imply.) We want to avoid `#authenticate_user!` when calling `#route_not_found`; `#authenticate_user!` can, depending on the request format, return a 401 instead of redirecting to a login page. This opens a subtle security exploit where anonymous users will receive a 401 response when attempting to access a private repo, while a recognized user will receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'spec/controllers/projects_controller_spec.rb')
-rw-r--r--spec/controllers/projects_controller_spec.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index ea7dd78329a..e0df9556eb8 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -1149,7 +1149,7 @@ describe ProjectsController do
context 'private project with token authentication' do
let(:private_project) { create(:project, :private) }
- it_behaves_like 'authenticates sessionless user', :show, :atom do
+ it_behaves_like 'authenticates sessionless user', :show, :atom, ignore_incrementing: true do
before do
default_params.merge!(id: private_project, namespace_id: private_project.namespace)
View Lorry Controller Status