BigW Consortium Gitlab

Skip to content

G
gitlab-ce
Commit c52b5c92 by Grzegorz Bizon
Options

Do not leak project exists when importing members

When importing members, and user does not have permissions to read members in a source project, do not leak information about source project existence. Notifiy user that project has not been found instead.
parent b248ee93
Showing with 6 additions and 6 deletions
app/controllers/projects/project_members_controller.rb
......@@ -94,13 +94,13 @@ class Projects::ProjectMembersController < Projects::ApplicationController
end
def apply_import
giver = Project.find(params[:source_project_id])
source_project = Project.find(params[:source_project_id])
if current_user.can?(:read_project_member, giver)
status = @project.team.import(giver, current_user)
if can?(current_user, :read_project_member, source_project)
status = @project.team.import(source_project, current_user)
notice = status ? "Successfully imported" : "Import failed"
else
notice = 'You are not authorized to import members from this project'
notice = 'Import failed - source project not found!'
end
redirect_to(namespace_project_project_members_path(project.namespace, project),
......
spec/controllers/projects/project_members_controller_spec.rb
......@@ -41,8 +41,8 @@ describe Projects::ProjectMembersController do
expect(project.team_members).to_not include member
end
it 'notifies about invalid permissions' do
expect(response).to set_flash.to /not authorized/
it 'pretends that source projects does not exist' do
expect(response).to set_flash.to /source project not found/
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment