Redirect user to root path after unsubscribing from private resource

If user unsubsrcribes from a resource that they no longer have access to they should not be revealed the resource path, but be redirected to app root instead. https://gitlab.com/gitlab-org/gitlab-ce/issues/64938
2019-09-10 15:30:07 +03:00 · 2019-09-10 15:30:07 +03:00 · 306fed6afd
commit 306fed6afd
parent c9396f31c6
3 changed files with 40 additions and 1 deletions
--- a/app/controllers/sent_notifications_controller.rb
+++ b/app/controllers/sent_notifications_controller.rb
@ -19,7 +19,11 @@ class SentNotificationsController < ApplicationController
    flash[:notice] = _("You have been unsubscribed from this thread.")

    if current_user
-      redirect_to noteable_path(noteable)
+      if current_user.can?(:"read_#{noteable.class.to_ability_name}", noteable)
+        redirect_to noteable_path(noteable)
+      else
+        redirect_to root_path
+      end
    else
      redirect_to new_user_session_path
    end
--- a/changelogs/unreleased/security-64938-dont-disclose-path.yml
+++ b/changelogs/unreleased/security-64938-dont-disclose-path.yml
@ -0,0 +1,6 @@
+---
+title: Fix new project path being disclosed through unsubscribe link of issue/merge
+  requests
+merge_request:
+author:
+type: security
--- a/spec/controllers/sent_notifications_controller_spec.rb
+++ b/spec/controllers/sent_notifications_controller_spec.rb
@ -208,6 +208,35 @@ describe SentNotificationsController do
            .to redirect_to(project_merge_request_path(project, merge_request))
        end
      end
+
+      context 'when project is private' do
+        context 'and user does not have access' do
+          let(:noteable) { issue }
+          let(:target_project) { private_project }
+
+          before do
+            get(:unsubscribe, params: { id: sent_notification.reply_key })
+          end
+
+          it 'unsubscribes user and redirects to root path' do
+            expect(response).to redirect_to(root_path)
+          end
+        end
+
+        context 'and user has access' do
+          let(:noteable) { issue }
+          let(:target_project) { private_project }
+
+          before do
+            private_project.add_developer(user)
+            get(:unsubscribe, params: { id: sent_notification.reply_key })
+          end
+
+          it 'unsubscribes user and redirects to issue path' do
+            expect(response).to redirect_to(project_issue_path(private_project, issue))
+          end
+        end
+      end
    end
  end
 end