Merge branch '33303-8-17-security-fix' into 'security-8-17'

[8-17 security fix] Renders 404 if given project is not readable by the user on Todos dashboard See merge request !2136

Merge branch '33303-8-17-security-fix' into 'security-8-17'
[8-17 security fix] Renders 404 if given project is not readable by the user on Todos dashboard See merge request !2136
2788383b · Sean McGivern · James Edwards-Jones · 632aa1d4 · 2788383b · 2788383b
Commit 2788383b authored Jul 19, 2017 by Sean McGivern Committed by James Edwards-Jones Jul 19, 2017
3 changed files
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
 class Dashboard::TodosController < Dashboard::ApplicationController
+  include ActionView::Helpers::NumberHelper
+
+  before_action :authorize_read_project!, only: :index
  before_action :find_todos, only: [:index, :destroy_all]

  def index
@@ -31,6 +34,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController

  private

+  def authorize_read_project!
+    project_id = params[:project_id]
+
+    if project_id.present?
+      project = Project.find(project_id)
+      render_404 unless can?(current_user, :read_project, project)
+    end
+  end
+
  def find_todos
    @todos ||= TodosFinder.new(current_user, params).execute
  end

--- a/changelogs/unreleased/33303-404-for-unauthorized-project.yml
+++ b/changelogs/unreleased/33303-404-for-unauthorized-project.yml
+---
+title: Renders 404 if given project is not readable by the user on Todos dashboard
+merge_request:
+author:
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -11,6 +11,30 @@ describe Dashboard::TodosController do
      project.team << [user, :developer]
    end

+    context 'project authorization' do
+      it 'renders 404 when user does not have read access on given project' do
+        unauthorized_project = create(:empty_project, :private)
+
+        get :index, project_id: unauthorized_project.id
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'renders 200 when filtering for "any project" todos' do
+        get :index, project_id: ''
+
+        expect(response).to have_http_status(200)
+      end
+
+      it 'renders 200 when user has access on given project' do
+        authorized_project = create(:empty_project, :public)
+
+        get :index, project_id: authorized_project.id
+
+        expect(response).to have_http_status(200)
+      end
+    end
+
    context 'when using pagination' do
      let(:last_page) { user.todos.page.total_pages }
      let!(:issues) { create_list(:issue, 2, project: project, assignee: user) }