Skip to content
代码片段 群组 项目
提交 8daff950 编辑于 作者: Sean McGivern's avatar Sean McGivern 提交者: Mike Greiling
浏览文件

Merge branch '33303-404-for-unauthorized-project' into 'security-9-3' 

[9.3 security fix] Renders 404 if given project is not readable by the user on Todos dashboard

See merge request !2118
上级 f2675d4f
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
app/controllers/dashboard/todos_controller.rb
+ 10
0
浏览文件 @ 8daff950
class Dashboard::TodosController < Dashboard::ApplicationController class Dashboard::TodosController < Dashboard::ApplicationController
include ActionView::Helpers::NumberHelper include ActionView::Helpers::NumberHelper
before_action :authorize_read_project!, only: :index
before_action :find_todos, only: [:index, :destroy_all] before_action :find_todos, only: [:index, :destroy_all]
def index def index
...@@ -49,6 +50,15 @@ def bulk_restore ...@@ -49,6 +50,15 @@ def bulk_restore
private private
def authorize_read_project!
project_id = params[:project_id]
if project_id.present?
project = Project.find(project_id)
render_404 unless can?(current_user, :read_project, project)
end
end
def find_todos def find_todos
@todos ||= TodosFinder.new(current_user, params).execute @todos ||= TodosFinder.new(current_user, params).execute
end end
......
changelogs/unreleased/33303-404-for-unauthorized-project.yml 0 → 100644
+ 4
0
浏览文件 @ 8daff950
---
title: Renders 404 if given project is not readable by the user on Todos dashboard
merge_request:
author:
spec/controllers/dashboard/todos_controller_spec.rb
+ 30
0
浏览文件 @ 8daff950
...@@ -12,6 +12,36 @@ ...@@ -12,6 +12,36 @@
end end
describe 'GET #index' do describe 'GET #index' do
context 'project authorization' do
it 'renders 404 when user does not have read access on given project' do
unauthorized_project = create(:empty_project, :private)
get :index, project_id: unauthorized_project.id
expect(response).to have_http_status(404)
end
it 'renders 404 when given project does not exists' do
get :index, project_id: 999
expect(response).to have_http_status(404)
end
it 'renders 200 when filtering for "any project" todos' do
get :index, project_id: ''
expect(response).to have_http_status(200)
end
it 'renders 200 when user has access on given project' do
authorized_project = create(:empty_project, :public)
get :index, project_id: authorized_project.id
expect(response).to have_http_status(200)
end
end
context 'when using pagination' do context 'when using pagination' do
let(:last_page) { user.todos.page.total_pages } let(:last_page) { user.todos.page.total_pages }
let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) } let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) }
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册