Merge branch '33303-9-0-security-fix' into 'security-9-0'

[9.0 security fix] Renders 404 if given project is not readable by the user on Todos dashboard See merge request !2135
author: Sean McGivern <sean@gitlab.com> 2017-07-19 17:30:41 +0300
committer: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-07-19 18:43:46 +0300
commit: 4c9da11444df4a83fc228591d8e920ec046bc45d (patch)
tree: 33404fc3dc6f183a7f1c027346c1d9806f1ec82f /app
parent: 27c999e1381a72dddaa64ac4923df6cac96fb091 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index 20336349c9a..8f15ee10702 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -1,6 +1,7 @@
 class Dashboard::TodosController < Dashboard::ApplicationController
   include ActionView::Helpers::NumberHelper
 
+  before_action :authorize_read_project!, only: :index
   before_action :find_todos, only: [:index, :destroy_all]
 
   def index
@@ -44,6 +45,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController
 
   private
 
+  def authorize_read_project!
+    project_id = params[:project_id]
+
+    if project_id.present?
+      project = Project.find(project_id)
+      render_404 unless can?(current_user, :read_project, project)
+    end
+  end
+
   def find_todos
     @todos ||= TodosFinder.new(current_user, params).execute
   end
author	Sean McGivern <sean@gitlab.com>	2017-07-19 17:30:41 +0300
committer	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-07-19 18:43:46 +0300
commit	4c9da11444df4a83fc228591d8e920ec046bc45d (patch)
tree	33404fc3dc6f183a7f1c027346c1d9806f1ec82f /app
parent	27c999e1381a72dddaa64ac4923df6cac96fb091 (diff)