From abc06c25319cadc9d0618c17a2a5539d10ce1b38 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:39:36 +0200
Subject: Don't leak existence of group or project via search.

---
 app/controllers/search_controller.rb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 16a5ee2ae35..c5828d0b2df 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -3,15 +3,22 @@ class SearchController < ApplicationController
 
   def show
     return if params[:search].nil? || params[:search].blank?
-    @project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
-    @group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :download_code, @project)
+    end
+
+    if params[:group_id].present?
+      @group = Group.find_by(id: params[:group_id]) 
+      @group = nil unless can?(current_user, :read_group, @group)
+    end
+    
     @scope = params[:scope]
     @show_snippets = params[:snippets].eql? 'true'
 
     @search_results = 
       if @project
-        return access_denied! unless can?(current_user, :download_code, @project)
-
         unless %w(blobs notes issues merge_requests wiki_blobs).
           include?(@scope)
           @scope = 'blobs'
-- 
cgit v1.2.3