Do not leak project exists when importing members
When importing members, and user does not have permissions to read members in a source project, do not leak information about source project existence. Notifiy user that project has not been found instead.
This commit is contained in:
parent
b248ee9381
commit
c52b5c92fb
2 changed files with 6 additions and 6 deletions
|
@ -94,13 +94,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
|
|||
end
|
||||
|
||||
def apply_import
|
||||
giver = Project.find(params[:source_project_id])
|
||||
source_project = Project.find(params[:source_project_id])
|
||||
|
||||
if current_user.can?(:read_project_member, giver)
|
||||
status = @project.team.import(giver, current_user)
|
||||
if can?(current_user, :read_project_member, source_project)
|
||||
status = @project.team.import(source_project, current_user)
|
||||
notice = status ? "Successfully imported" : "Import failed"
|
||||
else
|
||||
notice = 'You are not authorized to import members from this project'
|
||||
notice = 'Import failed - source project not found!'
|
||||
end
|
||||
|
||||
redirect_to(namespace_project_project_members_path(project.namespace, project),
|
||||
|
|
|
@ -41,8 +41,8 @@ describe Projects::ProjectMembersController do
|
|||
expect(project.team_members).to_not include member
|
||||
end
|
||||
|
||||
it 'notifies about invalid permissions' do
|
||||
expect(response).to set_flash.to /not authorized/
|
||||
it 'pretends that source projects does not exist' do
|
||||
expect(response).to set_flash.to /source project not found/
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue