delta/gitlab/gitlab-ce.git/app/controllers/dashboard/groups_controller.rb, branch api-shared-groups gitlab.com: gitlab-org/gitlab-ce.git Fix an information disclosure when requesting access to a group containing private projects 2016-06-24T10:01:48+00:00 Rémy Coutable remy@rymai.me 2016-06-24T10:01:48+00:00 aec3475df94bc9681a723c344f3df05972ebe68c The issue was with the `User#groups` and `User#projects` associations which goes through the `User#group_members` and `User#project_members`. Initially I chose to use a secure approach by storing the requester's user ID in `Member#created_by_id` instead of `Member#user_id` because I was aware that there was a security risk since I didn't know the codebase well enough. Then during the review, we decided to change that and directly store the requester's user ID into `Member#user_id` (for the sake of simplifying the code I believe), meaning that every `group_members` / `project_members` association would include the requesters by default... My bad for not checking that all the `group_members` / `project_members` associations and the ones that go through them (e.g. `Group#users` and `Project#users`) were made safe with the `where(requested_at: nil)` / `where(members: { requested_at: nil })` scopes. Now they are all secure. Signed-off-by: Rémy Coutable <remy@rymai.me> 
The issue was with the `User#groups` and `User#projects` associations
which goes through the `User#group_members` and `User#project_members`.

Initially I chose to use a secure approach by storing the requester's
user ID in `Member#created_by_id` instead of `Member#user_id` because I
was aware that there was a security risk since I didn't know the
codebase well enough.

Then during the review, we decided to change that and directly store the
requester's user ID into `Member#user_id` (for the sake of simplifying
the code I believe), meaning that every `group_members` / `project_members`
association would include the requesters by default...

My bad for not checking that all the `group_members` / `project_members`
associations and the ones that go through them (e.g. `Group#users` and
`Project#users`) were made safe with the `where(requested_at: nil)` /
`where(members: { requested_at: nil })` scopes.

Now they are all secure.

Signed-off-by: Rémy Coutable <remy@rymai.me>
Use the configured Kaminari "per page" default 2016-03-19T21:37:54+00:00 Robert Speicher rspeicher@gmail.com 2016-03-19T21:37:54+00:00 085538c2bd817fc083ee9e42c9fdd7f74fc48ecb 






Add a page title to every page.
2015-04-30T17:12:15+00:00

Douwe Maan
douwe@gitlab.com

2015-04-30T17:06:18+00:00

26ad250989d82b496b131811f8a0ddd7e662b650












Move group leave action from dashboard/groups to groups/group_members.
2015-03-15T12:52:28+00:00

Douwe Maan
douwe@gitlab.com

2015-03-13T15:28:33+00:00

84371de01f3ce7bab334539a93734658528736ec












Use same constant for amount of items per page
2015-03-12T22:37:00+00:00

Dmitriy Zaporozhets
dmitriy.zaporozhets@gmail.com

2015-03-12T22:37:00+00:00

f0cbbd70bba7c44e9b09a3472e6c2f6f58623150












Move profile groups page to dashboard
2015-03-09T00:03:30+00:00

Dmitriy Zaporozhets
dmitriy.zaporozhets@gmail.com

2015-03-09T00:03:30+00:00

9b3e156e43b8a14e4eb294a47bda6a477c8573b0