Merge branch 'security-private-group' into 'master'

[master] Fixed read private group names See merge request gitlab/gitlabhq!2589
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 21:36:59 +0300
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-29 03:07:15 +0300
commit: 1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (patch)
tree: 1004efdbf23a8dfedbcfc08786f5afa1fcc09dd4 /app/controllers/dashboard
parent: 3881285c2b901cfeac58b5e6bdf54ec7bd46612f (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index b82caf30a91..3fa582cf25b 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -4,6 +4,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController
   include ActionView::Helpers::NumberHelper
 
   before_action :authorize_read_project!, only: :index
+  before_action :authorize_read_group!, only: :index
   before_action :find_todos, only: [:index, :destroy_all]
 
   def index
@@ -60,6 +61,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController
     end
   end
 
+  def authorize_read_group!
+    group_id = params[:group_id]
+
+    if group_id.present?
+      group = Group.find(group_id)
+      render_404 unless can?(current_user, :read_group, group)
+    end
+  end
+
   def find_todos
     @todos ||= TodosFinder.new(current_user, todo_params).execute
   end
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 21:36:59 +0300
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-29 03:07:15 +0300
commit	1be0174b6aaab1c0cfe86a8b1c91b8ea6fa3db72 (patch)
tree	1004efdbf23a8dfedbcfc08786f5afa1fcc09dd4 /app/controllers/dashboard
parent	3881285c2b901cfeac58b5e6bdf54ec7bd46612f (diff)