Don't leak existence of project via search autocomplete.

2015-04-10 18:39:10 +02:00 · 2015-04-10 18:39:10 +02:00 · 1f813024ba
parent 24d139ba97
commit 1f813024ba
2 changed files with 8 additions and 1 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.

 v 7.10.0 (unreleased)
+  - Don't leak existence of project via search autocomplete.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
  - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
  - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
  - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -35,7 +35,12 @@ class SearchController < ApplicationController

  def autocomplete
    term = params[:term]
-    @project = Project.find(params[:project_id]) if params[:project_id].present?
+
+    if params[:project_id].present?
+      @project = Project.find_by(id: params[:project_id])
+      @project = nil unless can?(current_user, :read_project, @project)
+    end
+
    @ref = params[:project_ref] if params[:project_ref].present?

    render json: search_autocomplete_opts(term).to_json