diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-21 22:48:34 +0200 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-22 16:52:19 +0200 |
| commit | b9c551302253f86a8a85e8288099696b1d8ccdd6 (patch) | |
| tree | 5308f2a13fe26929e9df717d56f7f39a157d2d20 /app/models | |
| parent | 7728125c3e3474fef153c0037355c20ec72868b0 (diff) | |
| download | gitlab-ci-b9c551302253f86a8a85e8288099696b1d8ccdd6.tar.gz | |
Fix: user could steal specific runner
- check if user has manage access to project
- don't cache result of authorized_projects, because it's serialised with User object
- clear user sessions
Diffstat (limited to 'app/models')
| -rw-r--r-- | app/models/user.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 138e5e4..1523577 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -71,7 +71,10 @@ class User end def authorized_projects - @authorized_projects ||= Project.where(gitlab_id: gitlab_projects.map(&:id)) + Project.where(gitlab_id: gitlab_projects.map(&:id)).select do |project| + # This is slow: it makes request to GitLab for each project to verify manage permission + can_manage_project?(project.gitlab_id) + end end private |