BigW Consortium Gitlab
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.
Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.
Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...
My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.
Now they are all secure.
Signed-off-by: Rémy Coutable <remy@rymai.me>
Name |
Last commit
|
Last update |
---|---|---|
.. | ||
abuse_reports | Loading commit data... | |
appearances | Loading commit data... | |
application_settings | Loading commit data... | |
applications | Loading commit data... | |
background_jobs | Loading commit data... | |
broadcast_messages | Loading commit data... | |
builds | Loading commit data... | |
dashboard | Loading commit data... | |
deploy_keys | Loading commit data... | |
groups | Loading commit data... | |
health_check | Loading commit data... | |
hooks | Loading commit data... | |
identities | Loading commit data... | |
keys | Loading commit data... | |
labels | Loading commit data... | |
logs | Loading commit data... | |
projects | Loading commit data... | |
runners | Loading commit data... | |
services | Loading commit data... | |
spam_logs | Loading commit data... | |
users | Loading commit data... |