Commit 8daff950 authored by Sean McGivern's avatar Sean McGivern Committed by Mike Greiling

Merge branch '33303-404-for-unauthorized-project' into 'security-9-3'

[9.3 security fix] Renders 404 if given project is not readable by the user on Todos dashboard

See merge request !2118
parent f2675d4f
class Dashboard::TodosController < Dashboard::ApplicationController class Dashboard::TodosController < Dashboard::ApplicationController
include ActionView::Helpers::NumberHelper include ActionView::Helpers::NumberHelper
before_action :authorize_read_project!, only: :index
before_action :find_todos, only: [:index, :destroy_all] before_action :find_todos, only: [:index, :destroy_all]
def index def index
...@@ -49,6 +50,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController ...@@ -49,6 +50,15 @@ class Dashboard::TodosController < Dashboard::ApplicationController
private private
def authorize_read_project!
project_id = params[:project_id]
if project_id.present?
project = Project.find(project_id)
render_404 unless can?(current_user, :read_project, project)
end
end
def find_todos def find_todos
@todos ||= TodosFinder.new(current_user, params).execute @todos ||= TodosFinder.new(current_user, params).execute
end end
......
---
title: Renders 404 if given project is not readable by the user on Todos dashboard
merge_request:
author:
...@@ -12,6 +12,36 @@ describe Dashboard::TodosController do ...@@ -12,6 +12,36 @@ describe Dashboard::TodosController do
end end
describe 'GET #index' do describe 'GET #index' do
context 'project authorization' do
it 'renders 404 when user does not have read access on given project' do
unauthorized_project = create(:empty_project, :private)
get :index, project_id: unauthorized_project.id
expect(response).to have_http_status(404)
end
it 'renders 404 when given project does not exists' do
get :index, project_id: 999
expect(response).to have_http_status(404)
end
it 'renders 200 when filtering for "any project" todos' do
get :index, project_id: ''
expect(response).to have_http_status(200)
end
it 'renders 200 when user has access on given project' do
authorized_project = create(:empty_project, :public)
get :index, project_id: authorized_project.id
expect(response).to have_http_status(200)
end
end
context 'when using pagination' do context 'when using pagination' do
let(:last_page) { user.todos.page.total_pages } let(:last_page) { user.todos.page.total_pages }
let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) } let!(:issues) { create_list(:issue, 2, project: project, assignees: [user]) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment