diff options
| author | Kerri Miller <kerrizor@kerrizor.com> | 2019-09-23 20:55:32 +0300 |
|---|---|---|
| committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-10-09 20:47:45 +0300 |
| commit | 8395032721f6d6cb26126a5bffcb42984a240c07 (patch) | |
| tree | 875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/support/shared_examples/controllers | |
| parent | 7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff) | |
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'spec/support/shared_examples/controllers')
| -rw-r--r-- | spec/support/shared_examples/controllers/todos_shared_examples.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/spec/support/shared_examples/controllers/todos_shared_examples.rb b/spec/support/shared_examples/controllers/todos_shared_examples.rb index f3f9abb7da2..914bf506320 100644 --- a/spec/support/shared_examples/controllers/todos_shared_examples.rb +++ b/spec/support/shared_examples/controllers/todos_shared_examples.rb @@ -39,7 +39,7 @@ shared_examples 'todos actions' do post_create end.to change { user.todos.count }.by(0) - expect(response).to have_gitlab_http_status(parent.is_a?(Group) ? 401 : 302) + expect(response).to have_gitlab_http_status(302) end end end |