Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'

changelogs/unreleased/security-10-4-todo-api-reveals-sensitive-information.yml

+---
+title: Restrict Todo API mark_as_done endpoint to the user's todos only
+merge_request:
+author:
+type: security

lib/api/todos.rb

@@ -60,7 +60,7 @@ module API
       end
       post ':id/mark_as_done' do
         TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-        todo = Todo.find(params[:id])
+        todo = current_user.todos.find(params[:id])
 
         present todo, with: Entities::Todo, current_user: current_user
       end

lib/api/v3/todos.rb

@@ -12,7 +12,7 @@ module API
         end
         delete ':id' do
           TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
-          todo = Todo.find(params[:id])
+          todo = current_user.todos.find(params[:id])
 
           present todo, with: ::API::Entities::Todo, current_user: current_user
         end

spec/requests/api/todos_spec.rb

@@ -129,6 +129,12 @@ describe API::Todos do
 
         post api("/todos/#{pending_1.id}/mark_as_done", john_doe)
       end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        post api("/todos/#{pending_1.id}/mark_as_done", author_1)
+
+        expect(response.status).to eq(404)
+      end
     end
   end
 

spec/requests/api/v3/todos_spec.rb

@@ -38,6 +38,12 @@ describe API::V3::Todos do
 
         delete v3_api("/todos/#{pending_1.id}", john_doe)
       end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        delete v3_api("/todos/#{pending_1.id}", author_1)
+
+        expect(response.status).to eq(404)
+      end
     end
   end