diff options
author | Sean McGivern <sean@gitlab.com> | 2017-03-28 14:09:44 +0300 |
---|---|---|
committer | DJ Mountney <david@twkie.net> | 2017-03-30 05:18:38 +0300 |
commit | 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch) | |
tree | dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/services/groups | |
parent | 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff) |
Merge branch 'jej-group-name-disclosure' into 'security'
Prevent private group disclosure via parent_id
See merge request !2077
Diffstat (limited to 'app/services/groups')
-rw-r--r-- | app/services/groups/update_service.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb index 4e878ec556a..1d65c76d282 100644 --- a/app/services/groups/update_service.rb +++ b/app/services/groups/update_service.rb @@ -1,6 +1,8 @@ module Groups class UpdateService < Groups::BaseService def execute + reject_parent_id! + # check that user is allowed to set specified visibility_level new_visibility = params[:visibility_level] if new_visibility && new_visibility.to_i != group.visibility_level @@ -22,5 +24,11 @@ module Groups false end end + + private + + def reject_parent_id! + params.except!(:parent_id) + end end end |