diff options
| author | Kerri Miller <kerrizor@kerrizor.com> | 2019-09-23 10:55:32 -0700 |
|---|---|---|
| committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-10-09 10:47:45 -0700 |
| commit | 8395032721f6d6cb26126a5bffcb42984a240c07 (patch) | |
| tree | 875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/features/projects/pipelines | |
| parent | 7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff) | |
| download | gitlab-ce-8395032721f6d6cb26126a5bffcb42984a240c07.tar.gz | |
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'spec/features/projects/pipelines')
| -rw-r--r-- | spec/features/projects/pipelines/pipelines_spec.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/spec/features/projects/pipelines/pipelines_spec.rb b/spec/features/projects/pipelines/pipelines_spec.rb index 4fb72eb8737..76d8ad1638b 100644 --- a/spec/features/projects/pipelines/pipelines_spec.rb +++ b/spec/features/projects/pipelines/pipelines_spec.rb @@ -827,7 +827,10 @@ describe 'Pipelines', :js do context 'when project is private' do let(:project) { create(:project, :private, :repository) } - it { expect(page).to have_content 'You need to sign in' } + it 'redirects the user to sign_in and displays the flash alert' do + expect(page).to have_content 'You need to sign in' + expect(page.current_path).to eq("/users/sign_in") + end end end |