Commit cced6ab6 authored by Sean McGivern's avatar Sean McGivern Committed by James Edwards-Jones

Merge branch...

Merge branch 'security-8-17-backport-33323-fix-incorrect-project-authorizations' into 'security-8-17'

Escape the underscore char inside the LIKE operator

See merge request !2134
parent 7dd5ec18
...@@ -70,7 +70,7 @@ module Routable ...@@ -70,7 +70,7 @@ module Routable
# Returns an ActiveRecord::Relation. # Returns an ActiveRecord::Relation.
def member_descendants(user_id) def member_descendants(user_id)
joins(:route). joins(:route).
joins("INNER JOIN routes r2 ON routes.path LIKE CONCAT(r2.path, '/%') joins("INNER JOIN routes r2 ON routes.path LIKE CONCAT(REPLACE(r2.path, '_', '\\_'), '/%')
INNER JOIN members ON members.source_id = r2.source_id INNER JOIN members ON members.source_id = r2.source_id
AND members.source_type = r2.source_type"). AND members.source_type = r2.source_type").
where('members.user_id = ?', user_id) where('members.user_id = ?', user_id)
......
---
title: Fix incorrect project authorizations
merge_request:
author:
...@@ -115,6 +115,36 @@ describe Users::RefreshAuthorizedProjectsService do ...@@ -115,6 +115,36 @@ describe Users::RefreshAuthorizedProjectsService do
expect(user.authorized_projects_populated).to eq(true) expect(user.authorized_projects_populated).to eq(true)
end end
context 'when the group has special chars in its path' do
let(:user1) { create(:user) }
let(:group1) { create(:group, name: 'demo', path: 'demo') }
let(:nested_group1) { create(:group, name: 'nest', path: 'nest', parent: group1) }
let!(:project1) { create(:empty_project, group: nested_group1) }
let(:user2) { create(:user) }
let(:group2) { create(:group, name: '____', path: '____') }
let(:nested_group2) { create(:group, name: 'test', path: 'test', parent: group2) }
let!(:project2) { create(:empty_project, group: nested_group2) }
before do
group1.add_master(user1)
group2.add_master(user2)
described_class.new(user1).execute
described_class.new(user2).execute
end
it "it doesn't give authorization to foreign projects" do
expect(user1.authorized_projects).not_to include(project2)
expect(user2.authorized_projects).not_to include(project1)
end
it 'only gives authorization to the right projects' do
expect(user1.authorized_projects).to match_array([project1])
expect(user2.authorized_projects).to match_array([project2])
end
end
end end
describe '#fresh_access_levels_per_project' do describe '#fresh_access_levels_per_project' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment