diff options
| author | Rémy Coutable <remy@rymai.me> | 2016-06-24 12:01:48 +0200 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-06-24 12:01:48 +0200 |
| commit | aec3475df94bc9681a723c344f3df05972ebe68c (patch) | |
| tree | 3ed0b3d284fc4c0657f06489a5403f1c30126b30 /spec/features/groups | |
| parent | 4477dc249e563e60e126d4f5ad2692297a9584c1 (diff) | |
| download | gitlab-ce-aec3475df94bc9681a723c344f3df05972ebe68c.tar.gz | |
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.
Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.
Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...
My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.
Now they are all secure.
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'spec/features/groups')
| -rw-r--r-- | spec/features/groups/members/user_requests_access_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/features/groups/members/user_requests_access_spec.rb b/spec/features/groups/members/user_requests_access_spec.rb index 1ea607cbca0..4944301c938 100644 --- a/spec/features/groups/members/user_requests_access_spec.rb +++ b/spec/features/groups/members/user_requests_access_spec.rb @@ -4,6 +4,7 @@ feature 'Groups > Members > User requests access', feature: true do let(:user) { create(:user) } let(:owner) { create(:user) } let(:group) { create(:group, :public) } + let!(:project) { create(:project, :private, namespace: group) } background do group.add_owner(owner) @@ -24,6 +25,20 @@ feature 'Groups > Members > User requests access', feature: true do expect(page).not_to have_content 'Leave Group' end + scenario 'user does not see private projects' do + perform_enqueued_jobs { click_link 'Request Access' } + + expect(page).not_to have_content project.name + end + + scenario 'user does not see group in the Dashboard > Groups page' do + perform_enqueued_jobs { click_link 'Request Access' } + + visit dashboard_groups_path + + expect(page).not_to have_content group.name + end + scenario 'user is not listed in the group members page' do click_link 'Request Access' |