Commit fd34cc48 authored by Alexandru Croitor's avatar Alexandru Croitor Committed by Yorick Peterse

Redirect user to root path after unsubscribing from private resource

If user unsubsrcribes from a resource that they no longer have
access to they should not be revealed the resource path, but be
redirected to app root instead.

https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
parent 92bf9d78
...@@ -19,7 +19,11 @@ class SentNotificationsController < ApplicationController ...@@ -19,7 +19,11 @@ class SentNotificationsController < ApplicationController
flash[:notice] = _("You have been unsubscribed from this thread.") flash[:notice] = _("You have been unsubscribed from this thread.")
if current_user if current_user
if current_user.can?(:"read_#{noteable.class.to_ability_name}", noteable)
redirect_to noteable_path(noteable) redirect_to noteable_path(noteable)
else
redirect_to root_path
end
else else
redirect_to new_user_session_path redirect_to new_user_session_path
end end
......
---
title: Fix new project path being disclosed through unsubscribe link of issue/merge
requests
merge_request:
author:
type: security
...@@ -14,6 +14,7 @@ describe SentNotificationsController do ...@@ -14,6 +14,7 @@ describe SentNotificationsController do
let(:sent_notification) { create(:sent_notification, project: nil, noteable: epic, recipient: user) } let(:sent_notification) { create(:sent_notification, project: nil, noteable: epic, recipient: user) }
before do before do
stub_licensed_features(epics: true)
sign_in(user) sign_in(user)
get(:unsubscribe, params: { id: sent_notification.reply_key }) get(:unsubscribe, params: { id: sent_notification.reply_key })
end end
......
...@@ -208,6 +208,35 @@ describe SentNotificationsController do ...@@ -208,6 +208,35 @@ describe SentNotificationsController do
.to redirect_to(project_merge_request_path(project, merge_request)) .to redirect_to(project_merge_request_path(project, merge_request))
end end
end end
context 'when project is private' do
context 'and user does not have access' do
let(:noteable) { issue }
let(:target_project) { private_project }
before do
get(:unsubscribe, params: { id: sent_notification.reply_key })
end
it 'unsubscribes user and redirects to root path' do
expect(response).to redirect_to(root_path)
end
end
context 'and user has access' do
let(:noteable) { issue }
let(:target_project) { private_project }
before do
private_project.add_developer(user)
get(:unsubscribe, params: { id: sent_notification.reply_key })
end
it 'unsubscribes user and redirects to issue path' do
expect(response).to redirect_to(project_issue_path(private_project, issue))
end
end
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment