diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-01-25 17:51:45 +0400 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-01-25 17:51:45 +0400 |
| commit | 6350b32a3dddf70a28526c4f95c652072411e9c7 (patch) | |
| tree | 96c996a2f63f9fede4c5b2b081fd3acedb1049f5 /app | |
| parent | 3ddd9f753c0a6a57313ea4860bf7167f98f53cd2 (diff) | |
Fix security issues with teams
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/dashboard_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/teams_controller.rb | 9 | ||||
| -rw-r--r-- | app/helpers/application_helper.rb | 1 | ||||
| -rw-r--r-- | app/models/user.rb | 11 |
4 files changed, 16 insertions, 7 deletions
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index 1322973489c..13b7f02fdb8 100644 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -18,7 +18,7 @@ class DashboardController < ApplicationController @projects end - @teams = (UserTeam.with_member(current_user) + UserTeam.created_by(current_user)).uniq + @teams = current_user.authorized_teams @projects = @projects.page(params[:page]).per(30) diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb index 828bdeb80ab..e69a092c507 100644 --- a/app/controllers/teams_controller.rb +++ b/app/controllers/teams_controller.rb @@ -4,11 +4,9 @@ class TeamsController < ApplicationController before_filter :authorize_manage_user_team!, only: [:edit, :update] before_filter :authorize_admin_user_team!, only: [:destroy] - layout 'user_team', except: [:new, :create] + before_filter :user_team, except: [:new, :create] - def index - @teams = current_user.user_teams.order('name ASC') - end + layout 'user_team', except: [:new, :create] def show user_team @@ -83,7 +81,6 @@ class TeamsController < ApplicationController end def user_team - @team ||= UserTeam.find_by_path(params[:id]) + @team ||= current_user.authorized_teams.find_by_path(params[:id]) end - end diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 9aafce57e60..196105f0119 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -74,6 +74,7 @@ module ApplicationHelper def search_autocomplete_source projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } + teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } } default_nav = [ { label: "My Profile", url: profile_path }, diff --git a/app/models/user.rb b/app/models/user.rb index 7a0d66453f8..29f262968d5 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -295,4 +295,15 @@ class User < ActiveRecord::Base def namespace_id namespace.try :id end + + def authorized_teams + @authorized_teams ||= begin + ids = [] + ids << UserTeam.with_member(self).pluck('user_teams.id') + ids << UserTeam.created_by(self).pluck('user_teams.id') + ids.flatten + + UserTeam.where(id: ids) + end + end end |