diff options
| author | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:39:10 +0200 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2015-04-10 18:40:39 +0200 |
| commit | 1f813024bacc8ea6ac066c9707aeb414fade0e0a (patch) | |
| tree | e3927b821d62921ac0e9e6623c6a770efe8c0059 /app/controllers/search_controller.rb | |
| parent | 24d139ba971cf61a4b7a01031c4c57bcba29b172 (diff) | |
| download | gitlab-ce-1f813024bacc8ea6ac066c9707aeb414fade0e0a.tar.gz | |
Don't leak existence of project via search autocomplete.
Diffstat (limited to 'app/controllers/search_controller.rb')
| -rw-r--r-- | app/controllers/search_controller.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index a3284c82d3f..16a5ee2ae35 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -35,7 +35,12 @@ class SearchController < ApplicationController def autocomplete term = params[:term] - @project = Project.find(params[:project_id]) if params[:project_id].present? + + if params[:project_id].present? + @project = Project.find_by(id: params[:project_id]) + @project = nil unless can?(current_user, :read_project, @project) + end + @ref = params[:project_ref] if params[:project_ref].present? render json: search_autocomplete_opts(term).to_json |