From 1f813024bacc8ea6ac066c9707aeb414fade0e0a Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:39:10 +0200
Subject: Don't leak existence of project via search autocomplete.

---
 app/controllers/search_controller.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index a3284c82d3f..16a5ee2ae35 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -35,7 +35,12 @@ class SearchController < ApplicationController
 
   def autocomplete
     term = params[:term]
-    @project = Project.find(params[:project_id]) if params[:project_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :read_project, @project)
+    end
+
     @ref = params[:project_ref] if params[:project_ref].present?
 
     render json: search_autocomplete_opts(term).to_json
-- 
cgit v1.2.1