kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Do not leak project exists when importing members

Browse source 
When importing members, and user does not have permissions to read
members in a source project, do not leak information about source
project existence. Notifiy user that project has not been found instead.
This commit is contained in:
Grzegorz Bizon 2016-04-05 13:55:15 +02:00
parent b248ee9381
commit c52b5c92fb
2 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/projects/project_members_controller.rb
View file

@ -94,13 +94,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
end
def apply_import
giver = Project.find(params[:source_project_id])
source_project = Project.find(params[:source_project_id])
if current_user.can?(:read_project_member, giver)
status = @project.team.import(giver, current_user)
if can?(current_user, :read_project_member, source_project)
status = @project.team.import(source_project, current_user)
notice = status ? "Successfully imported" : "Import failed"
else
notice = 'You are not authorized to import members from this project'
notice = 'Import failed - source project not found!'
end
redirect_to(namespace_project_project_members_path(project.namespace, project),

4
spec/controllers/projects/project_members_controller_spec.rb
View file

@ -41,8 +41,8 @@ describe Projects::ProjectMembersController do
expect(project.team_members).to_not include member
end
it 'notifies about invalid permissions' do
expect(response).to set_flash.to /not authorized/
it 'pretends that source projects does not exist' do
expect(response).to set_flash.to /source project not found/
end
end
end