• Robert Speicher's avatar
    Merge branch '19102-fix' into 'master' · 7917cbbb
    Robert Speicher authored
    Fix an information disclosure when requesting access to a group containing private projects
    
    Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19102.
    
    The commit speaks for itself:
    
        Fix an information disclosure when requesting access to a group containing private projects
        
        The issue was with the `User#groups` and `User#projects` associations
        which goes through the `User#group_members` and `User#project_members`.
        
        Initially I chose to use a secure approach by storing the requester's
        user ID in `Member#created_by_id` instead of `Member#user_id` because I
        was aware that there was a security risk since I didn't know the
        codebase well enough.
        
        Then during the review, we decided to change that and directly store the
        requester's user ID into `Member#user_id` (for the sake of simplifying
        the code I believe), meaning that every `group_members` / `project_members`
        association would include the requesters by default...
        
        My bad for not checking that all the `group_members` / `project_members`
        associations and the ones that go through them (e.g. `Group#users` and
        `Project#users`) were made safe with the `where(requested_at: nil)` /
        `where(members: { requested_at: nil })` scopes.
        
        Now they are all secure.
    
    See merge request !1973
    7917cbbb
user_requests_access_spec.rb 1.93 KB