From 8daff9502c4548db8c5ad747ca247b9be2b15049 Mon Sep 17 00:00:00 2001
From: Sean McGivern <sean@gitlab.com>
Date: Tue, 13 Jun 2017 17:14:14 +0000
Subject: [PATCH] Merge branch '33303-404-for-unauthorized-project' into
 'security-9-3'

[9.3 security fix] Renders 404 if given project is not readable by the user on Todos dashboard

See merge request !2118
---
 app/controllers/dashboard/todos_controller.rb | 10 +++++++
 .../33303-404-for-unauthorized-project.yml    |  4 +++
 .../dashboard/todos_controller_spec.rb        | 30 +++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 changelogs/unreleased/33303-404-for-unauthorized-project.yml

diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index 28c90548cc1f6..59e5b5e477573 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -1,6 +1,7 @@
 class Dashboard::TodosController < Dashboard::ApplicationController
   include ActionView::Helpers::NumberHelper
 
+  before_action :authorize_read_project!, only: :index
   before_action :find_todos, only: [:index, :destroy_all]
 
   def index
@@ -49,6 +50,15 @@ def bulk_restore
 
   private
 
+  def authorize_read_project!
+    project_id = params[:project_id]
+
+    if project_id.present?
+      project = Project.find(project_id)
+      render_404 unless can?(current_user, :read_project, project)
+    end
+  end
+
   def find_todos
     @todos ||= TodosFinder.new(current_user, params).execute
   end
diff --git a/changelogs/unreleased/33303-404-for-unauthorized-project.yml b/changelogs/unreleased/33303-404-for-unauthorized-project.yml
new file mode 100644
index 0000000000000..5a5a337129ebb
--- /dev/null
+++ b/changelogs/unreleased/33303-404-for-unauthorized-project.yml
@@ -0,0 +1,4 @@
+---
+title: Renders 404 if given project is not readable by the user on Todos dashboard
+merge_request:
+author:
diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb
index 085f3fd8543d5..4a48621abe160 100644
--- a/spec/controllers/dashboard/todos_controller_spec.rb
+++ b/spec/controllers/dashboard/todos_controller_spec.rb
@@ -12,6 +12,36 @@
   end
 
   describe 'GET #index' do
+    context 'project authorization' do
+      it 'renders 404 when user does not have read access on given project' do
+        unauthorized_project = create(:empty_project, :private)
+
+        get :index, project_id: unauthorized_project.id
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'renders 404 when given project does not exists' do
+        get :index, project_id: 999
+
+        expect(response).to have_http_status(404)
+      end
+
+      it 'renders 200 when filtering for "any project" todos' do
+        get :index, project_id: ''
+
+        expect(response).to have_http_status(200)
+      end
+
+      it 'renders 200 when user has access on given project' do
+        authorized_project = create(:empty_project, :public)
+
+        get :index, project_id: authorized_project.id
+
+        expect(response).to have_http_status(200)
+      end
+    end
+
     context 'when using pagination' do
       let(:last_page) { user.todos.page.total_pages }
       let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) }
-- 
GitLab