Commit 6350b32a3dddf70a28526c4f95c652072411e9c7
1 parent
3ddd9f75
Exists in
master
and in
4 other branches
Fix security issues with teams
Showing
4 changed files
with
16 additions
and
7 deletions
Show diff stats
app/controllers/dashboard_controller.rb
| @@ -18,7 +18,7 @@ class DashboardController < ApplicationController | @@ -18,7 +18,7 @@ class DashboardController < ApplicationController | ||
| 18 | @projects | 18 | @projects |
| 19 | end | 19 | end |
| 20 | 20 | ||
| 21 | - @teams = (UserTeam.with_member(current_user) + UserTeam.created_by(current_user)).uniq | 21 | + @teams = current_user.authorized_teams |
| 22 | 22 | ||
| 23 | @projects = @projects.page(params[:page]).per(30) | 23 | @projects = @projects.page(params[:page]).per(30) |
| 24 | 24 |
app/controllers/teams_controller.rb
| @@ -4,11 +4,9 @@ class TeamsController < ApplicationController | @@ -4,11 +4,9 @@ class TeamsController < ApplicationController | ||
| 4 | before_filter :authorize_manage_user_team!, only: [:edit, :update] | 4 | before_filter :authorize_manage_user_team!, only: [:edit, :update] |
| 5 | before_filter :authorize_admin_user_team!, only: [:destroy] | 5 | before_filter :authorize_admin_user_team!, only: [:destroy] |
| 6 | 6 | ||
| 7 | - layout 'user_team', except: [:new, :create] | 7 | + before_filter :user_team, except: [:new, :create] |
| 8 | 8 | ||
| 9 | - def index | ||
| 10 | - @teams = current_user.user_teams.order('name ASC') | ||
| 11 | - end | 9 | + layout 'user_team', except: [:new, :create] |
| 12 | 10 | ||
| 13 | def show | 11 | def show |
| 14 | user_team | 12 | user_team |
| @@ -83,7 +81,6 @@ class TeamsController < ApplicationController | @@ -83,7 +81,6 @@ class TeamsController < ApplicationController | ||
| 83 | end | 81 | end |
| 84 | 82 | ||
| 85 | def user_team | 83 | def user_team |
| 86 | - @team ||= UserTeam.find_by_path(params[:id]) | 84 | + @team ||= current_user.authorized_teams.find_by_path(params[:id]) |
| 87 | end | 85 | end |
| 88 | - | ||
| 89 | end | 86 | end |
app/helpers/application_helper.rb
| @@ -74,6 +74,7 @@ module ApplicationHelper | @@ -74,6 +74,7 @@ module ApplicationHelper | ||
| 74 | def search_autocomplete_source | 74 | def search_autocomplete_source |
| 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } | 75 | projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } |
| 76 | groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } | 76 | groups = current_user.authorized_groups.map { |group| { label: "group: #{group.name}", url: group_path(group) } } |
| 77 | + teams = current_user.authorized_teams.map { |team| { label: "team: #{team.name}", url: team_path(team) } } | ||
| 77 | 78 | ||
| 78 | default_nav = [ | 79 | default_nav = [ |
| 79 | { label: "My Profile", url: profile_path }, | 80 | { label: "My Profile", url: profile_path }, |
app/models/user.rb
| @@ -295,4 +295,15 @@ class User < ActiveRecord::Base | @@ -295,4 +295,15 @@ class User < ActiveRecord::Base | ||
| 295 | def namespace_id | 295 | def namespace_id |
| 296 | namespace.try :id | 296 | namespace.try :id |
| 297 | end | 297 | end |
| 298 | + | ||
| 299 | + def authorized_teams | ||
| 300 | + @authorized_teams ||= begin | ||
| 301 | + ids = [] | ||
| 302 | + ids << UserTeam.with_member(self).pluck('user_teams.id') | ||
| 303 | + ids << UserTeam.created_by(self).pluck('user_teams.id') | ||
| 304 | + ids.flatten | ||
| 305 | + | ||
| 306 | + UserTeam.where(id: ids) | ||
| 307 | + end | ||
| 308 | + end | ||
| 298 | end | 309 | end |