Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
11ef7a0f
Commit
11ef7a0f
authored
Nov 06, 2018
by
Chantal Rollison
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fixed read private group names
parent
992cff9c
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
26 additions
and
0 deletions
+26
-0
app/controllers/dashboard/todos_controller.rb
app/controllers/dashboard/todos_controller.rb
+10
-0
changelogs/unreleased/security-private-group.yml
changelogs/unreleased/security-private-group.yml
+6
-0
spec/controllers/dashboard/todos_controller_spec.rb
spec/controllers/dashboard/todos_controller_spec.rb
+10
-0
No files found.
app/controllers/dashboard/todos_controller.rb
View file @
11ef7a0f
...
...
@@ -4,6 +4,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
include
ActionView
::
Helpers
::
NumberHelper
before_action
:authorize_read_project!
,
only: :index
before_action
:authorize_read_group!
,
only: :index
before_action
:find_todos
,
only:
[
:index
,
:destroy_all
]
def
index
...
...
@@ -60,6 +61,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController
end
end
def
authorize_read_group!
group_id
=
params
[
:group_id
]
if
group_id
.
present?
group
=
Group
.
find
(
group_id
)
render_404
unless
can?
(
current_user
,
:read_group
,
group
)
end
end
def
find_todos
@todos
||=
TodosFinder
.
new
(
current_user
,
todo_params
).
execute
end
...
...
changelogs/unreleased/security-private-group.yml
0 → 100644
View file @
11ef7a0f
---
title
:
Removed ability to see private group names when the group id is entered in
the url.
merge_request
:
author
:
type
:
security
spec/controllers/dashboard/todos_controller_spec.rb
View file @
11ef7a0f
...
...
@@ -42,6 +42,16 @@ describe Dashboard::TodosController do
end
end
context
'group authorization'
do
it
'renders 404 when user does not have read access on given group'
do
unauthorized_group
=
create
(
:group
,
:private
)
get
:index
,
group_id:
unauthorized_group
.
id
expect
(
response
).
to
have_gitlab_http_status
(
404
)
end
end
context
'when using pagination'
do
let
(
:last_page
)
{
user
.
todos
.
page
.
total_pages
}
let!
(
:issues
)
{
create_list
(
:issue
,
3
,
project:
project
,
assignees:
[
user
])
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment