From b9c551302253f86a8a85e8288099696b1d8ccdd6 Mon Sep 17 00:00:00 2001
From: Kamil Trzcinski <ayufan@ayufan.eu>
Date: Tue, 21 Jul 2015 22:48:34 +0200
Subject: Fix: user could steal specific runner

- check if user has manage access to project
- don't cache result of authorized_projects, because it's serialised with User object
- clear user sessions
---
 app/models/user.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app/models')

diff --git a/app/models/user.rb b/app/models/user.rb
index 138e5e4..1523577 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -71,7 +71,10 @@ class User
   end
 
   def authorized_projects
-    @authorized_projects ||= Project.where(gitlab_id: gitlab_projects.map(&:id))
+    Project.where(gitlab_id: gitlab_projects.map(&:id)).select do |project|
+      # This is slow: it makes request to GitLab for each project to verify manage permission
+      can_manage_project?(project.gitlab_id)
+    end
   end
 
   private
-- 
cgit v1.2.1