Commit 81d55bb0 authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-private-group' into 'master'

[master] Fixed read private group names

See merge request gitlab/gitlabhq!2589
parents ffe93719 11ef7a0f
...@@ -4,6 +4,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController ...@@ -4,6 +4,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
include ActionView::Helpers::NumberHelper include ActionView::Helpers::NumberHelper
before_action :authorize_read_project!, only: :index before_action :authorize_read_project!, only: :index
before_action :authorize_read_group!, only: :index
before_action :find_todos, only: [:index, :destroy_all] before_action :find_todos, only: [:index, :destroy_all]
def index def index
...@@ -60,6 +61,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController ...@@ -60,6 +61,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController
end end
end end
def authorize_read_group!
group_id = params[:group_id]
if group_id.present?
group = Group.find(group_id)
render_404 unless can?(current_user, :read_group, group)
end
end
def find_todos def find_todos
@todos ||= TodosFinder.new(current_user, todo_params).execute @todos ||= TodosFinder.new(current_user, todo_params).execute
end end
......
---
title: Removed ability to see private group names when the group id is entered in
the url.
merge_request:
author:
type: security
...@@ -42,6 +42,16 @@ describe Dashboard::TodosController do ...@@ -42,6 +42,16 @@ describe Dashboard::TodosController do
end end
end end
context 'group authorization' do
it 'renders 404 when user does not have read access on given group' do
unauthorized_group = create(:group, :private)
get :index, group_id: unauthorized_group.id
expect(response).to have_gitlab_http_status(404)
end
end
context 'when using pagination' do context 'when using pagination' do
let(:last_page) { user.todos.page.total_pages } let(:last_page) { user.todos.page.total_pages }
let!(:issues) { create_list(:issue, 3, project: project, assignees: [user]) } let!(:issues) { create_list(:issue, 3, project: project, assignees: [user]) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment