From abc06c25319cadc9d0618c17a2a5539d10ce1b38 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:39:36 +0200
Subject: [PATCH] Don't leak existence of group or project via search.
---
CHANGELOG | 1 +
app/controllers/search_controller.rb | 15 +++++++++++----
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 0a61fee1cb2..adb19118443 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased)
- Don't leak existence of project via search autocomplete.
+ - Don't leak existence of group or project via search.
- Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
- Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
- Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 16a5ee2ae35..c5828d0b2df 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -3,15 +3,22 @@ class SearchController < ApplicationController
def show
return if params[:search].nil? || params[:search].blank?
- @project = Project.find_by(id: params[:project_id]) if params[:project_id].present?
- @group = Group.find_by(id: params[:group_id]) if params[:group_id].present?
+
+ if params[:project_id].present?
+ @project = Project.find_by(id: params[:project_id])
+ @project = nil unless can?(current_user, :download_code, @project)
+ end
+
+ if params[:group_id].present?
+ @group = Group.find_by(id: params[:group_id])
+ @group = nil unless can?(current_user, :read_group, @group)
+ end
+
@scope = params[:scope]
@show_snippets = params[:snippets].eql? 'true'
@search_results =
if @project
- return access_denied! unless can?(current_user, :download_code, @project)
-
unless %w(blobs notes issues merge_requests wiki_blobs).
include?(@scope)
@scope = 'blobs'
--
GitLab