Skip to content

G
gitlab-ce
Commit 6350b32a authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets
Browse files
Options

Fix security issues with teams

parent 3ddd9f75
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 7 deletions
app/controllers/dashboard_controller.rb
View file @ 6350b32a
...@@ -18,7 +18,7 @@ class DashboardController < ApplicationController ...@@ -18,7 +18,7 @@ class DashboardController < ApplicationController
@projects @projects
end end
@teams = (UserTeam.with_member(current_user) + UserTeam.created_by(current_user)).uniq @teams = current_user.authorized_teams
@projects = @projects.page(params[:page]).per(30) @projects = @projects.page(params[:page]).per(30)
......
app/controllers/teams_controller.rb
View file @ 6350b32a
...@@ -4,11 +4,9 @@ class TeamsController < ApplicationController ...@@ -4,11 +4,9 @@ class TeamsController < ApplicationController
before_filter :authorize_manage_user_team!, only: [:edit, :update] before_filter :authorize_manage_user_team!, only: [:edit, :update]
before_filter :authorize_admin_user_team!, only: [:destroy] before_filter :authorize_admin_user_team!, only: [:destroy]
layout 'user_team', except: [:new, :create] before_filter :user_team, except: [:new, :create]
def index layout 'user_team', except: [:new, :create]
@teams = current_user.user_teams.order('name ASC')
end
def show def show
user_team user_team
...@@ -83,7 +81,6 @@ class TeamsController < ApplicationController ...@@ -83,7 +81,6 @@ class TeamsController < ApplicationController
end end
def user_team def user_team
@team ||= UserTeam.find_by_path(params[:id]) @team ||= current_user.authorized_teams.find_by_path(params[:id])
end end
end end
app/helpers/application_helper.rb
View file @ 6350b32a
...@@ -74,6 +74,7 @@ module ApplicationHelper ...@@ -74,6 +74,7 @@ module ApplicationHelper
def search_autocomplete_source def search_autocomplete_source
projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } }
groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } }
teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } }
default_nav = [ default_nav = [
{ label: "My Profile", url: profile_path }, { label: "My Profile", url: profile_path },
......
app/models/user.rb
View file @ 6350b32a
...@@ -295,4 +295,15 @@ class User < ActiveRecord::Base ...@@ -295,4 +295,15 @@ class User < ActiveRecord::Base
def namespace_id def namespace_id
namespace.try :id namespace.try :id
end end
def authorized_teams
@authorized_teams ||= begin
ids = []
ids << UserTeam.with_member(self).pluck('user_teams.id')
ids << UserTeam.created_by(self).pluck('user_teams.id')
ids.flatten
UserTeam.where(id: ids)
end
end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7