diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-06-27 21:41:31 +0300 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2016-06-27 21:48:46 +0300 |
| commit | 7917cbbb38e1449c2aad3e5a148d8390482d54be (patch) | |
| tree | cb77624486008abc6a558e6ad9c5d3ec324aaa54 /app/views/admin | |
| parent | 78596dcddc6aea7598501a497d0fc87b9a2e1cdf (diff) | |
Merge branch '19102-fix' into 'master'
Fix an information disclosure when requesting access to a group containing private projects
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19102.
The commit speaks for itself:
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.
Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.
Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...
My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.
Now they are all secure.
See merge request !1973
Diffstat (limited to 'app/views/admin')
| -rw-r--r-- | app/views/admin/users/groups.html.haml | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/app/views/admin/users/groups.html.haml b/app/views/admin/users/groups.html.haml index b0a709a568a..8f6d13b881a 100644 --- a/app/views/admin/users/groups.html.haml +++ b/app/views/admin/users/groups.html.haml @@ -1,11 +1,12 @@ - page_title "Groups", @user.name, "Users" = render 'admin/users/head' -- if @user.group_members.present? +- group_members = @user.group_members.includes(:source) +- if group_members.any? .panel.panel-default .panel-heading Groups: %ul.well-list - - @user.group_members.each do |group_member| + - group_members.each do |group_member| - group = group_member.group %li.group_member %span{class: ("list-item-name" unless group_member.owner?)} |