From 61e8ca8ce020781c6c4685fe8dcc508a08f24bf8 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Tue, 24 Mar 2015 15:55:12 +0100
Subject: Don't leak private group existence by redirecting from namespace
 controller to group controller.

---
 app/controllers/namespaces_controller.rb | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'app/controllers/namespaces_controller.rb')

diff --git a/app/controllers/namespaces_controller.rb b/app/controllers/namespaces_controller.rb
index b7a9d8c1291..386d103ee5a 100644
--- a/app/controllers/namespaces_controller.rb
+++ b/app/controllers/namespaces_controller.rb
@@ -4,14 +4,22 @@ class NamespacesController < ApplicationController
   def show
     namespace = Namespace.find_by(path: params[:id])
 
-    unless namespace
-      return render_404
+    if namespace
+      if namespace.is_a?(Group)
+        group = namespace
+      else
+        user = namespace.owner
+      end
     end
 
-    if namespace.type == "Group"
-      redirect_to group_path(namespace)
+    if user
+      redirect_to user_path(user)
+    elsif group && can?(current_user, :read_group, group)
+      redirect_to group_path(group)
+    elsif current_user.nil?
+      authenticate_user!
     else
-      redirect_to user_path(namespace.owner)
+      render_404
     end
   end
 end
-- 
cgit v1.2.1