diff options
author | Sean McGivern <sean@gitlab.com> | 2017-07-19 17:30:41 +0300 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-07-19 18:43:46 +0300 |
commit | 4c9da11444df4a83fc228591d8e920ec046bc45d (patch) | |
tree | 33404fc3dc6f183a7f1c027346c1d9806f1ec82f /app | |
parent | 27c999e1381a72dddaa64ac4923df6cac96fb091 (diff) |
Merge branch '33303-9-0-security-fix' into 'security-9-0'
[9.0 security fix] Renders 404 if given project is not readable by the user on Todos dashboard
See merge request !2135
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/dashboard/todos_controller.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb index 20336349c9a..8f15ee10702 100644 --- a/app/controllers/dashboard/todos_controller.rb +++ b/app/controllers/dashboard/todos_controller.rb @@ -1,6 +1,7 @@ class Dashboard::TodosController < Dashboard::ApplicationController include ActionView::Helpers::NumberHelper + before_action :authorize_read_project!, only: :index before_action :find_todos, only: [:index, :destroy_all] def index @@ -44,6 +45,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController private + def authorize_read_project! + project_id = params[:project_id] + + if project_id.present? + project = Project.find(project_id) + render_404 unless can?(current_user, :read_project, project) + end + end + def find_todos @todos ||= TodosFinder.new(current_user, params).execute end |