Commit 6350b32a3dddf70a28526c4f95c652072411e9c7
1 parent
3ddd9f75
Exists in
master
and in
4 other branches
Fix security issues with teams
Showing
4 changed files
with
16 additions
and
7 deletions
Show diff stats
app/controllers/dashboard_controller.rb
| ... | ... | @@ -18,7 +18,7 @@ class DashboardController < ApplicationController |
| 18 | 18 | @projects |
| 19 | 19 | end |
| 20 | 20 | |
| 21 | - @teams = (UserTeam.with_member(current_user) + UserTeam.created_by(current_user)).uniq | |
| 21 | + @teams = current_user.authorized_teams | |
| 22 | 22 | |
| 23 | 23 | @projects = @projects.page(params[:page]).per(30) |
| 24 | 24 | ... | ... |
app/controllers/teams_controller.rb
| ... | ... | @@ -4,11 +4,9 @@ class TeamsController < ApplicationController |
| 4 | 4 | before_filter :authorize_manage_user_team!, only: [:edit, :update] |
| 5 | 5 | before_filter :authorize_admin_user_team!, only: [:destroy] |
| 6 | 6 | |
| 7 | - layout 'user_team', except: [:new, :create] | |
| 7 | + before_filter :user_team, except: [:new, :create] | |
| 8 | 8 | |
| 9 | - def index | |
| 10 | - @teams = current_user.user_teams.order('name ASC') | |
| 11 | - end | |
| 9 | + layout 'user_team', except: [:new, :create] | |
| 12 | 10 | |
| 13 | 11 | def show |
| 14 | 12 | user_team |
| ... | ... | @@ -83,7 +81,6 @@ class TeamsController < ApplicationController |
| 83 | 81 | end |
| 84 | 82 | |
| 85 | 83 | def user_team |
| 86 | - @team ||= UserTeam.find_by_path(params[:id]) | |
| 84 | + @team ||= current_user.authorized_teams.find_by_path(params[:id]) | |
| 87 | 85 | end |
| 88 | - | |
| 89 | 86 | end | ... | ... |
app/helpers/application_helper.rb
| ... | ... | @@ -74,6 +74,7 @@ module ApplicationHelper |
| 74 | 74 | def search_autocomplete_source |
| 75 | 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } |
| 76 | 76 | groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } |
| 77 | + teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } } | |
| 77 | 78 | |
| 78 | 79 | default_nav = [ |
| 79 | 80 | { label: "My Profile", url: profile_path }, | ... | ... |
app/models/user.rb
| ... | ... | @@ -295,4 +295,15 @@ class User < ActiveRecord::Base |
| 295 | 295 | def namespace_id |
| 296 | 296 | namespace.try :id |
| 297 | 297 | end |
| 298 | + | |
| 299 | + def authorized_teams | |
| 300 | + @authorized_teams ||= begin | |
| 301 | + ids = [] | |
| 302 | + ids << UserTeam.with_member(self).pluck('user_teams.id') | |
| 303 | + ids << UserTeam.created_by(self).pluck('user_teams.id') | |
| 304 | + ids.flatten | |
| 305 | + | |
| 306 | + UserTeam.where(id: ids) | |
| 307 | + end | |
| 308 | + end | |
| 298 | 309 | end | ... | ... |