gitlab-org--gitlab-foss/app/controllers/dashboard
Rémy Coutable aec3475df9
Fix an information disclosure when requesting access to a group containing private projects
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>
2016-06-24 12:01:48 +02:00
..
application_controller.rb Fix an issue causing the Dashboard/Milestones page to be blank 2016-03-23 12:02:15 +01:00
groups_controller.rb Fix an information disclosure when requesting access to a group containing private projects 2016-06-24 12:01:48 +02:00
labels_controller.rb Add to label :id to response 2016-05-03 11:58:43 -05:00
milestones_controller.rb Use respond_to instead of a conditional to paginate milestones 2016-03-23 12:02:15 +01:00
projects_controller.rb Restrict starred projects to viewable ones 2016-05-10 18:13:52 +01:00
snippets_controller.rb Use the configured Kaminari "per page" default 2016-03-19 17:37:54 -04:00
todos_controller.rb Ensure Todos counters doesn't count Todos for projects pending delete 2016-06-17 16:17:43 -03:00