Merge branch 'jej-group-name-disclosure' into 'security'

Prevent private group disclosure via parent_id See merge request !2077
author: Sean McGivern <sean@gitlab.com> 2017-03-28 14:09:44 +0300
committer: DJ Mountney <david@twkie.net> 2017-03-30 05:18:38 +0300
commit: 91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree: dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/services/groups
parent: 60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 4e878ec556a..1d65c76d282 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -1,6 +1,8 @@
 module Groups
   class UpdateService < Groups::BaseService
     def execute
+      reject_parent_id!
+
       # check that user is allowed to set specified visibility_level
       new_visibility = params[:visibility_level]
       if new_visibility && new_visibility.to_i != group.visibility_level
@@ -22,5 +24,11 @@ module Groups
         false
       end
     end
+
+    private
+
+    def reject_parent_id!
+      params.except!(:parent_id)
+    end
   end
 end
author	Sean McGivern <sean@gitlab.com>	2017-03-28 14:09:44 +0300
committer	DJ Mountney <david@twkie.net>	2017-03-30 05:18:38 +0300
commit	91f43587a8c05a5c2955f0b5c464f03688552cb6 (patch)
tree	dba32618ae3452ae117df78184ad38d3b5ff26b1 /app/services/groups
parent	60c0c0f3d08aa2c2a5be68aa784a86304fdb9c99 (diff)