1. 24 Jun, 2016 3 commits
    • Rémy Coutable's avatar
      Fix an information disclosure when requesting access to a group containing private projects · aec3475d
      Rémy Coutable authored
      The issue was with the `User#groups` and `User#projects` associations
      which goes through the `User#group_members` and `User#project_members`.
      
      Initially I chose to use a secure approach by storing the requester's
      user ID in `Member#created_by_id` instead of `Member#user_id` because I
      was aware that there was a security risk since I didn't know the
      codebase well enough.
      
      Then during the review, we decided to change that and directly store the
      requester's user ID into `Member#user_id` (for the sake of simplifying
      the code I believe), meaning that every `group_members` / `project_members`
      association would include the requesters by default...
      
      My bad for not checking that all the `group_members` / `project_members`
      associations and the ones that go through them (e.g. `Group#users` and
      `Project#users`) were made safe with the `where(requested_at: nil)` /
      `where(members: { requested_at: nil })` scopes.
      
      Now they are all secure.
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      aec3475d
    • Stan Hu's avatar
      Merge branch 'fix-settings-spec' into 'master' · 4477dc24
      Stan Hu authored
      Fix settings_spec so that it can that run by itself
      
      Running `spec/settings_spec.rb` would fail because it would attempt to load `1_settings.rb`, which would reference `Rails`. This constant was not loaded without `spec_helper.rb`.
      
      
      See merge request !4893
      4477dc24
    • Stan Hu's avatar
      6ba627f7
  2. 23 Jun, 2016 37 commits