Skip to content
Snippets Groups Projects
Commit c52b5c92 authored by Grzegorz Bizon's avatar Grzegorz Bizon
Browse files

Do not leak project exists when importing members 

When importing members, and user does not have permissions to read
members in a source project, do not leak information about source
project existence. Notifiy user that project has not been found instead.
parent b248ee93
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/projects/project_members_controller.rb
+ 4
4
View file @ c52b5c92
@@ -94,13 +94,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
end
 
def apply_import
giver = Project.find(params[:source_project_id])
source_project = Project.find(params[:source_project_id])
 
if current_user.can?(:read_project_member, giver)
status = @project.team.import(giver, current_user)
if can?(current_user, :read_project_member, source_project)
status = @project.team.import(source_project, current_user)
notice = status ? "Successfully imported" : "Import failed"
else
notice = 'You are not authorized to import members from this project'
notice = 'Import failed - source project not found!'
end
 
redirect_to(namespace_project_project_members_path(project.namespace, project),
spec/controllers/projects/project_members_controller_spec.rb
+ 2
2
View file @ c52b5c92
@@ -41,8 +41,8 @@ describe Projects::ProjectMembersController do
expect(project.team_members).to_not include member
end
 
it 'notifies about invalid permissions' do
expect(response).to set_flash.to /not authorized/
it 'pretends that source projects does not exist' do
expect(response).to set_flash.to /source project not found/
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment